Closed Bug 1162862 Opened 10 years ago Closed 10 years ago

Vulnerability in JSRuntime that Shuts down firefox, explorer.exe and userinit.exe (Possibly plugin-container)

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
37 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jd2978, Unassigned, NeedInfo)

Details

(Keywords: reporter-external)

Attachments

(2 files)

Screenshot w/ WER crash
136.87 KB, image/jpeg
Details
Problem signature.docx Be careful with clicking the links: 1-3 are malicious
297.83 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Steps to reproduce: I was just browsing the web looking where you could buy postcards. I am going through Google Search Results, and a program stops an attempted exploitation of some component of JavaScript (JSRuntime). Firefox force closed, explorer.exe force closed and had to be restarted through the task manager. Actual results: The code targeted: [each at certain targeted memory addresses] firefox.exe explorer.exe userinit.exe Firefox.exe force closed, explorer.exe force closed and had to be restarted through the task manager. The plugin-container also crashed. It may have been an exploit through one of those. If it is please let me know so that I may notify the proper vendor myself. Code was in Binary/Hex Expected results: Nothing. It escaped the sandboxed plugin container and shutdown 2 system components. Attached are screenshots, detection log and a list of sites visited during that Firefox session. I tried to be as complete as possible.
Attached image Screenshot w/ WER crash
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
Severity: normal → critical
Flags: sec-bounty?
Product: Firefox → Core
Be careful with clicking the links: 1-3 are malicious They are on page 3 and likely were the source (the one marked malicious)
Sorry for the repeated comments. I forgot to mention, I copied and pasted some stuff from about:memory into Notepad text files. IF these become necessary, please let me know. The site pushing exploits could be the source and only by speculation it may somehow be related to Bug 1158650 (https://bugzilla.mozilla.org/show_bug.cgi?id=1158650). If you need any further information please let me know. I will respond as soon as reasonable. I am a college student and work at the moment, but will do everything I can. Please let me know if anyone can reproduce (Use a VM) or I can provide you with a link to a trial of the security software I was using.
I provided additional info to the bug that may be related (1188650). Plugins installed at the time of this incident were: Adobe Flash Player Shockwave Flash 17.0 r0 Up to Date 17.0.0.169 Nitro PDF plugin for Firefox and Chrome (v. 3.5.6.5) Nitro PDF plugin for Firefox and Chrome Microsoft Office 2013 (v. 15.0.4703.1000) The plugin allows you to have a better experience with Microsoft Lync Citrix Online Web Deployment Plugin 1.0.0.104 (v. 1.0.0.104) Citrix Online App Detector Plugin Sticky Password (v. 8.0.3.33) Autofill Engine for Gecko and Webkit-based web browsers Google Update (v. 1.3.26.9) Google Update Does anyone have the time to explain exactly what this malicious code attempted to do (email)? It would be greatly appreciated.
Need info as per bug 1158650.
Flags: needinfo?(jd2978)
Marking incomplete, not enough info.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
Flags: sec-bounty? → sec-bounty-
Group: core-security → core-security-release
Component: Untriaged → General
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: