“We knew about Java’s ‘Write once, run everywhere’ mantra, which very quickly turned into jokes like ‘Write once, pwn everywhere,” said Jerome Segura, a malware researcher at Malwarebytes, in a blog. “But with the latest Firefox zero-day, Oracle isn’t the only one that faces this problem.”
Firefox, much like Java, can be found across various platforms, and it’s also a popular choice for Linux users.
“Not too surprisingly, this prompted an almost immediate reaction from the Tor Project to advise people [to stop] using Microsoft’s operating system,” Segura said. “While there is some truth in there, would it really be enough? Case in point, this specific Firefox vulnerability is actually cross-platform.”
Although testing shows that code execution only seems to happen on Windows machines, the exploit can cause the browser to crash on Apple’s Mac OS X.
The issue points out an ongoing problem for software developers in supporting multiple versions of a platform with up-to-date bug fixes, Segura pointed out. This in turn means added pressure on enterprise IT staff to update machines en masse – an often Herculean task in today’s resource-constrained times, thus fomenting a more insecure workplace.
“While Mozilla has adopted a fast release cycle with automatic updates, people can be running older (but still supported) versions, as is the case with this Firefox 17 Extended Support Release (ESR),” he said. “Having to maintain multiple versions is probably one of software developers’ worst headaches. The reality is that many enterprises cannot readily upgrade that often due to many applications’ constraints to particular configurations. This is definitely an issue, as software vendors will naturally tend to focus their efforts on the latest version of the software they make, and that includes bug fixes and security improvements.”
As background, it should be noted that the Tor Browser (a cross-platform, privacy-centric interface) uses Firefox. Tor’s ability to allow for anonymity provides an unfortunate haven for criminals, and this is at the center of publicity around the exploit, which is making headlines because it appears to be part of an operation to uncover the identity of people using the Tor Browser to view child pornography. As Infosecurity previously reported, the FBI is looking to extradite a criminal they call the “largest child-porn dealer on the planet” using information uncovered from Tor.
Segura found that the code was not “just your run-of-the-mill exploit, but a zero-day that affected a specific version of Firefox, one that happened to be bundled in the Tor Browser". He added, “More clues came after analysis of the shell code revealed that there was no malicious payload to this exploit, but one very distinct feature: a request to a server hosted in the US fetching the victim’s real IP address. If you add all these elements together, this looks like a law enforcement operation, although we might never know for sure.”
While the zero-day exploit may have been developed to catch alleged criminals, Segura warned that there could very well be unintended consequences to its use.
“The Tor Browser is used around the world by all sorts of people who wish to remain anonymous online. In several countries with oppressive regimes, it is the only way for dissidents to browse the Internet freely and not risk going to jail,” Segura said in a separate post. “It is only a matter of time before the code is grabbed by malware authors and added to mainstream exploit kits.”
This threat is highlighted by the newly discovered cross-platform nature of the exploit. And while this zero-day does not affect users running the latest version of Firefox, many people still are on previous releases.
Segura continued: “While taking down pedophiles should be applauded, does the end justify the means? What about innocent users that may have been caught in the cross fire and face possible legal consequences for browsing to other ‘legal’ hidden websites that were poisoned with that malicious code? Or security researchers simply studying the exploit code?”