Firefox v 3.6.12 allows an attack from a malicious website




8 years ago
8 years ago


(Reporter: lombaeb, Unassigned)


Firefox Tracking Flags

(Not tracked)




(1 attachment)



8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729; .NET4.0C)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729; .NET4.0C)

When visiting the site, Norton Internet Security reported that an intrusion attempt by my pc was stopped. The actor attempting to intrude is listed as Firefox on my pc.

Details provided by Norton Internet Security after visiting

An intrusion attempt by pc-2433239 {my pc} was blocked.
Attacker url:
Destination address:, 3128 {this is our proxy server}
Source address: {this is my pc}
An intrusion attempt by PC-2433239 {my pc} matches the signature of a known attack. The attack resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE.
Network traffic from matches the signature of a known attack. The attack resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE

Reproducible: Always

Steps to Reproduce:
1. Visit site (WARNING: ATTACK)
2. After allowing the exploit to pass, Firefox reports 'The connection was reset'.

Actual Results:  
Norton internet security 2010 reports the attack as described above.

Expected Results:  
Firefox should not allow the attack to pass.

Win 7 x64 Enterprise edition, with all updates (2010-11-30)
Norton Internet Security 2010, with all updates (2010-11-30)
Firefox 3.6.12

Comment 1

8 years ago
The original site I wished to visit was

Once visiting this site, it is auto-redirected to the malicious site
The attack site you linked to is now giving a 404, so there's not much we can do with this report.  Normally I would report it as an attack site to the Safebrowsing service which you can also do by visiting this page:
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE

Comment 3

8 years ago
Created attachment 494135 [details]
Screenshots of Firefox and Norton Internet Secuirty after visiting the attack site

Comment 4

8 years ago
I would like to re-open this bug, since I have again tried visiting the attack site, and still obtain the same behavior:

The behavior is still the same as described in the original posting:
Firefox reports an error loading the page "Connection reset" (looks like error 404), while Norton Internet Security reports that it has blocked an attack from Firefox.

So although it *looks* as if Firefox is unable to load the page, in truth, an attack is launched through Firefox.

I have attached screen-shots from Firefox and Norton Internet Security.
Resolution: INCOMPLETE → ---
Are your plugins up to date? Please visit

Most attacks are through out-of-date plugins rather than firefox itself. It's also hard to tell from this report if Norton detected web code that attempts to do bad stuff (but would not succeed) or if it's detecting the result of a successful attack.

the page at is still giving a 404, maybe it's location aware and not serving malware to the US? I also tried going through in case it's checking referers (we've seen that trick) but didn't get the redirect.

The forums at usually work better for investigating this kind of issue.
Group: core-security

Comment 6

8 years ago
Thanks for the suggestions.

1. After updating all plugins, the issue still occurs.
2. Visiting the attack site directly reproduces the issue (i.e. it is not necessary to be redirected from the site).  This attack site is still active as of 22 Dec 2010.
3. Norton Internet Security now provides additional information on this site and exploit:

According to this information, it seems the attack is aimed at Adobe Acrobat/Reader/Flash. redirects to and comes up as not found. Marking as INVALID as none of the sites exist at this time and because this isn't a bug. The connection reset message is because Norton blocked the page from loading and possible causing damage to your machine, not because Firefox allowed the "attack" to happen.
Last Resolved: 8 years ago8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.