F-Secure reports:

Proof-of-concept exploits for the popular Mozilla and Firefox web browsers have been posted on public mailing lists. They target the following vulnerabilities:

– Code execution through favicons link
– Arbitrary code execution from Firefox sidebar panel

These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7.

We advice all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen on your computer just by surfing to the wrong site.

For those who know what this means, it’s blood-curdling news. A proof of concept is code that exploits a vulnerability. From that code, it’s a short step to actually creating a hostile exploit that installs a virus or Trojan horse on an unpatched computer. (Oh, and forgive the grammatical errors in the F-Secure announcement. They’re based in Finland and English is obviously a second language. Their expertise in combatting viruses is, however, second to none.)

There’s a little tiny icon in the upper right corner of the Firefox window, just below the Minimize / Maximize / Close buttons, that is supposed to alert you when an upgrade is available. The most current version is 1.0.3, and the little icon has been visible now for a couple of days, with no additional warning of any kind. In my opinion, the Firefox alert icon is way too subtle. How many people had Firefox 1.0 installed on their computer by a friend or family member over the holidays and don’t realize there have been three critical updates since then?

Curiously, the Mozilla Security Center includes no mention of the two most recent updates. As of today, the announcement at the top of the page reads:

Mozilla Foundation Announces Update to Firefox (February 24, 2005) All users should upgrade to Firefox 1.0.1, a security update to Firefox 1.0. …

And yet… The Mozilla Foundation Security Advisories page, which is linked from the Security Center, lists both Firefox 1.02 (released March 23), which fixes one critical security issue, and Firefox 1.03 (released April 15), which fixes three separate critical security issues, including the two that now have exploit code in the wild.

There’s no question that the Mozilla/Firefox team is taking their responsibility seriously, but the update mechanism is not working properly for a software program that is intended for use by the masses.

Earlier today I posted an item about the “link prefetch” feature recently introduced in Firefox and used by Google for all searches run using Firefox.

To see exactly how this works, I performed a simple experiment.

First, I completely deleted the contents of the Cache folder in my Firefox profile. I left the directory window visible on the screen, opened Firefox, and went to the Firefox home page. After it finished loading, I refreshed the contents of the Cache folder window and observed that there were now a few small files there.

Next, I created a simple HTML page consisting of a single sentence. That sentence contained a hyperlink to a large (2.56MB) executable file on a third-party Web site. In the source code for the page I created, just before the hyperlink, I added a LINK tag using the REL=”prefetch” type, as documented in the Mozilla Link Prefetching FAQ. I uploaded this page, which was 369 bytes in size, to my Web site.

Finally, I returned to Firefox and typed in the URL of the test page I created. My tiny page loaded immediately, and over the course of the next few seconds I watched one file in the Cache folder grow to approximately 2.6MB in size. When I clicked the link to the executable file on my test page, the Firefox Downloads window appeared and almost instantly displayed the message that the download was complete. That’s not surprising, because the executable file was already in my cache.

Let me repeat that: I clicked on a link in one page, and Firefox silently, without any indication to me, downloaded a large executable file in the background and placed it in my browser’s cache.

I repeated the experiment with a much larger executable file (10MB) from a different third-party Web site, using a completely clean Firefox profile. Same result.

If you were to click on the link to my test page using Firefox, that executable code would be on your computer, downloaded from a site you never chose to visit. Now, let me be clear: That code isn’t an immediate danger. There’s no way I’m aware of for it to execute. At least not now. But if I were a bad guy, I’d be working my tail off to figure out how to get that code to execute – or to trick you into running it. I’d also be looking at other creative ways to exploit the fact that I can get you to download scripts and other content from a third-party site that you never even realized you visited. And I would surely be thinking of how I could get my pages to appear at the top of a Google search window, where they would automatically be prefetched by Firefox.

This is not a good thing.

Update: In a comment to my previous post, Alex Halderman, a PhD student in computer science at Princeton, notes that the privacy issue is a legitimate one but the security issue is less worrisome than I might fear. He writes:

There are lots of ways a site can cause your browser to load a page from another site without your knowledge: JavaScript tricks, hidden frames, etc.  For legitimate uses, prefetching is preferable to these other methods, since the browser can be smart about only prefetching during idle periods.  Disabling the prefetch feature will preclude these benefits without actually preventing malicious sites from loading remote pages.

On the other hand, well intentioned sites like Google need to be careful about what prefetching they cause for precisely the reasons Ed cites.  Google’s users trust it not to place embarrassing content in their caches or to connect their browsers to disreputable sites.  Google says only certain sites are prefetched, and I’ll bet these concerns enter into their selection algorithm.

Prefetching is also unlikely to exacerbate a vulnerability that “allows code to be executed automatically from a page that triggers a buffer overflow or exploits an unpatched scripting exploit.” The prefetched page is not rendered and any scripts it contains are not interpreted until the user actually follows a link to it.  Only the HTTP and caching code is exposed to the prefetched data, and these relatively simple modules are less likely to contain exploitable holes.

I missed the part where Google says only certain sites are prefetched. I’ll have to look more closely at that.

Update 2: OK, I looked at the Google FAQ for Webmasters, which says, “Google only inserts this tag when there is a high likelihood that the user will click on the top result, but clearly this heuristic is not right 100% of the time.” I don’t see anything that suggests any concern for the privacy of the user or whether the content in the top-rated link is work-safe.

Update 3: Some interesting discussion of the issue here.

The Washington Post has just rolled out a new blog, Security Fix. In one of the first posts, Brian Krebs describes an e-mail he received recently, which was forwarded by someone who was concerned about phishing scams:

The phishing e-mail my contact sent tried to hijack my computer in addition to directing my browser to a Web site designed to look like it was operated by a small British bank. After I got done yelling at him for sending this little nastygram without warning me, I got to looking at it a bit more closely.

In this particular phishing scam, simply clicking anywhere in the HTML e-mail caused my Firefox browser to begin downloading a file while the fake site loaded in the background. Needless to say, I killed the download immediately.

I wish Brian had provided more details, but in any event this doesn’t sound like a good thing.

Oh, and kudos to the WaPo for putting the full text of this blog in their RSS feed.