从来不转新闻，这次也玩个新鲜，转一贴<一攻击代码惊现互联网 波及三

http://www.cnetnews.com.cn/news/net/sto ... 062,00.htm


 CNET科技资讯网（原ZDNet China新闻频道）原创文章版权所有，未经许可严禁转载，且不构成投资建议。
不能转载，所以只给链接。

这种代码仍然利用了早已修复的IDN漏洞，所以Mozilla敦促用户尽快升级到最新版，即Firefox 1.0.7和Mozilla 1.7.12，它们已经修复了这个漏洞。而基于Firefox的Aol Netscape目前尚未修复。

之前看過，升級 1.07 是絕對有需要。

washingtonpost.com weblog Security Fix is reporting that an exploit for a Mozilla security bug has been released. The PwnZilla 5 code takes advantage of the international domain name (IDN) link buffer overflow flaw, details of which were published earlier this month. The weblog post says that the exploit code "could let attackers take complete control over computers cruising the Web with unpatched versions of the Firefox Internet browser". Previous public exploits for the vulnerability have been basic proof-of-concepts that simply crash the browser.

The exploit, created by Berend-Jan "SkyLined" Wever, can be used against vulnerable versions of Mozilla Firefox, the Mozilla Application Suite and Netscape Browser 8. The latest Firefox 1.0.7 and Mozilla 1.7.12 releases, which have been made available over the past few days, are not affected as they both include a fix for the flaw. However, there is no fix available for Netscape Browser 8 (currently on version 8.0.3.3), though the exploit apparently works less reliably with this browser.

Security Fix author Brian Krebs says that "the code is designed to be embedded in a Web site so that anyone computer (sic) visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar." He cites the French Security Incident Response Team (FrSIRT) as the source for this analysis but FrSIRT's copy of the PwnZilla 5 code does not appear to include this information.

Exploit author SkyLined credits several people with assisting him in the creation of PwnZilla 5. In his description of the code, he says, "Since Netscape has not replied to reports about this vulnerability I've chosen to release it." However, he goes on to qualify this by stating that the exploit is optimised for Firefox (which has a fixed version available) and rarely works with Netscape (which does not).

Any Firefox 1.0.x and Mozilla 1.x users who have not upgraded to versions 1.0.7 and 1.7.12 respectively are advised to do so immediately (see our article on the release of Firefox 1.0.7 and our article on the release of Mozilla 1.7.12 for more details). It should be noted that Firefox 1.5 Beta 1 is vulnerable to the flaw, so users should either revert to an end-user release of Firefox (that is, 1.0.7) or update to a more recent Firefox nightly build from the 1.8 branch. SeaMonkey 1.0 Alpha is not affected by the vulnerability (but the Linux version is at risk from the Linux command line URL parsing security bug).

Last week, CNET News.com warned that hackers were probably working on exploits for the IDN flaw. The vulnerability was originally reported to the Mozilla Foundation by Tom Ferris, who elected to make it public before fixed versions of Firefox and the Mozilla Application Suite were released. SecurityProNews reporter John Stith interviewed Tom Ferris about the IDN vulnerability last week, providing more insight into why Ferris chose to publish details of the flaw. Stith's article states: "He [Ferris] also commented that when he initially submitted all his information to Mozilla, they seemed at odds and he felt put out by them... Microsoft has always 'treated him more like a professional.' He said he felt the folks over at Mozilla treated him more like a kid."