User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Various builds, including 1.0.6 Windows and Linux There are several reports (e.g., http://www.dslreports.com/forum/remark,14196120~mode=flat ) of users visiting a Web site, and immediately or shortly thereafter, either ProcessGuard or ZoneAlarm alerts user to an attempt by file asdf.exe to access the Internet. The reports appear to be credible. Because the users are alerted immediately, some were able to check the time stamp on the file and determine what site they were visiting, and determine that no other Internet program except Fx was running. The file is a downloader, which attempts to retrive 184.108.40.206/rm/w.exe (according to http://www.dslreports.com/forum/remark,14196120~days=9999~start=60 , message posted 8-28-2005 at 07:19). There is one report of Fx 1.0.6 on a currently patched Win XP system ( http://forums.mozillazine.org/viewtopic.php?t=310439 , see messages of 8-28-2005, 20:58 and 21:40), and another report of Fx 1.0.6 on SuSE Linux ( http://www.dslreports.com/forum/remark,14196120~days=9999~start=20 8-25-2004 at 16:33, 8-26 at 14:46, and 8-28 at 16:28 and 17:44). On version 1.0.6, Win XP, "Allow websites to install software" was reportedly not checked. Other users confirm that installation of software was not enabled. Other, mostly fragmentary reports can be found by Googling firefox asdf.exe . Reproducible: Didn't try Steps to Reproduce: File is thought to have come from an ad in theonion.com and other sites. Users report that they did not click on the other ad or take any other action to initiate download. Actual Results: File asdf.exe downloaded to C:\, and executed if on Windows. File attempts to download one or two other files, "w.exe" and possible "1.exe" from Internet. File asdf.exe has also been reported in file 77dwr6zp.zip, but method of download was undetermined. Expected Results: No download or execution of file. This is a stub for downloading malware.
My first thought is "Is Java installed and enabled, and if so what version is it?" We've seen trojans attack down-rev java in the past.
That was my first thought too. From http://www.dslreports.com/forum/remark,14196120~mode=flat: "I am fairly sure java did not start. I can usually tell when that starts up due to the long pause. But it is 1.4.1_01, anyway."
Also, he was using Firefox 1.0.3, which has publicly known security holes (http://www.mozilla.org/projects/security/known-vulnerabilities.html).
Since the exploit is in the wild and people are discussing this in public, I'm making this bug public too.
As a matter of fact, the two reports for version 1.0.6 both report having Java enabled.
Java is enabled by default, so that isn't surprising. Do you know what versions of Java they were using, or can you ask them?
(In reply to comment #6) > Java is enabled by default, so that isn't surprising. Do you know what versions > of Java they were using, or can you ask them? There's no word for the Linux system. The Windows user reports Java 2 Runtime Environment, Standard Edition 1.3.1; Default virtual Machine Version 1.3.1.b24; Java Plug-In 1.3.1_02. There is a Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1 .
(In reply to comment #7) > OK, tried it first on an old but fulled patched XP system. ...Reloaded 10 times, but nothing happened. The exploit is thought to have come from an ad that is no longer on the site.
The Linux user reports having used Java 1.4.2.04. Since a known Java flaw could have been responsible for every incident, there is no evidence against Fx. Assuming I am able to, I'm happily marking this bug INVALID. There is one thing to be concerned about, however. By default Fx will run whatever version of Java is installed. That means that Firefox will run an insecure program without any warning. Firefox users do not receive any warning, and it's rare for users to be aware of the problem.
See bug 271559, "Countermeasures for Java/plugin/extension vulnerabilities (disable, warn)".