0-day bug detected in Firefox 3.5 & 3.6

[![](http://3.bp.blogspot.com/_A8fllzIwp8c/TMzcq3SgaiI/AAAAAAAAAOI/bQJrR8v0BnY/s1600/Untitled.jpg)](http://3.bp.blogspot.com/_A8fllzIwp8c/TMzcq3SgaiI/AAAAAAAAAOI/bQJrR8v0BnY/s1600/Untitled.jpg)A 0-day security flaw in Firefox 3.5 & 3.6 was detected on October 26th, when a number of compromised websites have started to plant malware on users’ computers after visiting a specially-crafted webpage. The exploit code was written in JavaScript and was uploaded on http://l-3com.[removed]-work.com/admissions/admin.php. Some high-profile websites, including the Nobel Prize webpage, were compromised by iFrame injections which led the users towards the exploit. This specially-crafted JavaScript file includes distinct payloads for Firefox versions ranging from 3.6.8 to 3.6.11, which trigger a use-after-free error, which means that the code will try to use a portion of the memory after it has been freed. This technique, although not revolutionary, has also been used in the IE8 Exploit in January, commonly known as Operation Aurora.

As the malicious page is visited, the JavaScript code checks both the operating system and the browser version and populates a specific area of the memory with two distinct payloads.

The former differs from one version of the browser to another and is aimed at triggering the exception in the browser, while the latter is identical for every version of the navigator and will execute the malicious file. If the user reaches the compromised page using a different browser or a Firefox version that is not vulnerable, the script will redirect the user to an about:blank page.

Successful exploitation will download a file called svchost.txt, an infected binary file that will be subsequently renamed as svchost.exe and executed on the victim computer. This specific piece of malware is detected as Backdoor.Belmoo.A, and allows a remote attacker to take control over the infected system.

Firefox has also issued an update from 3.6.11 to 3.6.12 which is no longer vulnerable to this type of exploit. In order to stay safe, you are advised to update your browser and your local antivirus solution. BitDefender antivirus blocks access to the malformed web page before it gets to execute any code.