[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)

To: Lee <curtlee2002@xxxxxxxxx>
Subject: Re: [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)
From: Nick Boyce <nick.boyce@xxxxxxxxx>
Date: Thu, 10 Jul 2014 17:20:41 +0100

On 9 July 2014 18:50, Lee <curtlee2002@xxxxxxxxx> wrote:

> I know nothing about this, but some friends kept posting a link to this
> video.  I saw nothing about this in the mailing list, so I thought I would
> post it to see if others have more info.
> https://www.youtube.com/watch?v=BcCDETzk4zc

Well the video is allegedly uploaded by Don Bailey, who is the person
who did the LZO/LZ4 bug research that was recently responsibly
reported on the OSS list(s).  And I did notice at the time that one of
the postings [1] in the ensuing discussion, from Yves-Alexis Perez,
gave a list of potentially affected open-source software which had
been identified by a source-code-scanning service.  That list included
Firefox ... and since then I've been holding my breath waiting for the
other shoe to drop.

Maybe this is that other shoe.

I know nothing about the Firefox source-code, or where exactly the
vulnerable use of LZO/LZ4 might be.

But it's odd that there hasn't been a peep out of Mozilla (e.g. no
emergency release announced for ESR or any other channel), despite the
vulnerability having been disclosed responsibly on private vendor
mailing lists, with a patch available, and plenty of time to
coordinate binary releases.

Hey - maybe the bug is real, but the Youtube clip was uploaded by a
Bad Guy pretending to be Don, and all those of us (367 at time of
writing) who viewed the clip are now pwned :-)

Dammit - if only we'd all signed up for keybase.io's weirdo
GPG-key-identifying service [2] then we could all have known whether
Youtube Don is really LZO Don ...

Exciting times.

[1] http://seclists.org/oss-sec/2014/q2/676
[2] http://seclists.org/fulldisclosure/2014/Jun/102

Cheers
Nick
-- 
Blessed are the peacemakers...for they shall be shot at from both sides.
 ~~ A.M. Greeley

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)
  - From: Brandon Perry

References:
- [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)
  - From: Lee

Prev by Date: [FD] Dell Scrutinizer 11.01 multiple vulnerabilities
Next by Date: [FD] Is the era of ezine txt files over?
Previous by thread: [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)
Next by thread: Re: [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)
Index(es):
- Date
- Thread