Mozilla praised for quick patch for zero-day vulnerability, as Nobel Peace Prize site hacked to distribute malware

News by Dan Raywood

Mozilla has been congratulated for a quick turnaround on a patch for a Firefox vulnerability, despite the Nobel website being hacked due to the flaw.

Mozilla has been congratulated for a quick turnaround on a patch for a Firefox vulnerability despite the Nobel website being hacked due to the flaw.

Mozilla said it was aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 on Tuesday afternoon and said that it had received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

This vulnerability may have allowed an attacker to execute arbitrary code to a visitor. However a fix for this vulnerability was released for Firefox and Thunderbird users just over 24 hours later.

Among the sites hit was the official website of the Nobel Peace Prize. Jonathan Leopando, technical communications spokesperson at Trend Micro, said that the website appeared to have been compromised with a malicious PHP Script, which it detected as JS_NINDYA.A.

He said: “However, for some reason or another the cyber criminal behind this attack has chosen to limit the scope of the vulnerability. Using browser headers, the exploit checks both the Firefox version and the operating system used.

“According to Mozilla, the underlying flaw is present in both Firefox 3.5 and 3.6, but only recent versions of 3.6 were targeted by JS_NINDYA.A. In addition, if the user is running newer versions of Windows (such as Vista, Windows 7, Server 2008 and Server 2008 R2), the exploit will not be triggered either.

“The exploit downloads a backdoor onto user systems, detected as BKDR_NINDYA.A. It connects to one of the remote malicious servers, which is used by a cyber criminal to send various commands to the system. These commands include shutting down the affected system, as well as deleting all files on the system. Saying this could cause problems would be an understatement.”

Websense also detected this, calling the infection ‘a classic drive-by vulnerability'. Looking at the Nobel interception, it said that the attacker used multiple iframe redirections on the same compromised site, with the last chain pointing to a dynamic DNS provider to get to the malicious page.

Its initial analysis showed that the attacker references an object in the web page that has been removed, leaving the reference pointing to an invalid memory space. The malicious code uses heap spray technique to exploit the vulnerability and run arbitrary code in the user's computer.

Leopando said that checking the Nobel site after the patch was released, it found that the website had been cleaned up already.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews