2

CVE-2017-5428 aka MFSA-2017-08 is an integer overflow vulnerability in Mozilla Firefox. It was reported through the Pwn2Own contest, and corrected in Firefox 52.0.1.

This article describes it as a zero-day vulnerability, but I thought Pwn2Own used a coordinated disclosure policy? The Mozilla bug isn't open yet, and I can't find exploit information anywhere else, but perhaps I just don't know where to look.

Do we need to panic (so to speak) or can we treat 52.0.1 on the same urgent-but-don't-panic basis as every other web browser security update?

Anders
  • 64,406
  • 24
  • 178
  • 215
Harry Johnston
  • 1,667
  • 10
  • 14
  • 1
    It was a zero-day within the context of the Pwn2Own exercise, meaning it was used there and then the details were immediately, privately disclosed to Mozilla. I guess one could make an argument that a zero-day should have to be used "in anger" --meaning used by bad guys or pen testers against targets in the wild-- to really count as a "zero-day". But that would just add one more item of basically pointless linguistic semantics surrounding that term to debate about. – mostlyinformed Mar 29 '17 at 11:27
  • @mostlyinformed, I disagree, the question of whether the vulnerability is or might be used in actual attacks is exactly what makes the category useful, from a system administrator's perspective, at any rate. But I guess your definition may be the more useful from an attacker's perspective, so it makes sense that people would start using it that way. That viewpoint is helpful, thanks. – Harry Johnston Mar 29 '17 at 19:56

2 Answers2

2

Zero-day is not a useful categorisation for assessing risk. In terms of risk what matters is:

  • Is this bug being actively exploited in the wild?
  • How wide spread is the knowledge of this bug?
  • How hard would it be to reproduce an exploit of this bug, given the publicly available knowledge of this bug.

The new version of firefox is available so knowledge of this bug has been published (at least the source code changes required to fix it). I don't have knowledge of how hard it would be to reproduce the exploit.

The urgency with which you should patch is dependent on your expected advisories, are you of interest to governments or organised criminals? If so update now. If not follow your normal process for security updates.

When the bug was used in Pwn2Own the bug was a "Zero-day", i.e. the vendor was not aware of it. Once it was disclosed to Firefox (one of the conditions of Pwn2Own) it stopped being a "Zero-day", i.e. the vendor was aware.

akku
  • 55
  • 4
David Waters
  • 2,802
  • 2
  • 14
  • 14
  • *Traditionally*, the term "zero-day" summarizes your three bullet points, i.e., a vulnerability was called a zero-day if the knowledge necessary to exploit it was released to the public (or was actually used in attacks) without the vendor getting any advance notice. If people are using the term differently nowadays, or if the security community has always used it differently than the broader IT community, that might explain my confusion about that article. – Harry Johnston Mar 28 '17 at 22:53
  • I'm not sure whether or not the source code for the fix is available; the bug is still locked, doesn't that mean source code hasn't been released yet? – Harry Johnston Mar 28 '17 at 22:53
  • To the best of my knowledge there are technical details which aren't associated with CVE's & yet they're 'attacks' which are wildly in use. Could that not be a 0day? – Shritam Bhowmick Mar 28 '17 at 22:58
  • @ShritamBhowmick, I'm not sure what (or who) you're asking? Both my definition and David's definition would encompass active attacks against a vulnerability that the vendor isn't yet aware of, I think. – Harry Johnston Mar 28 '17 at 23:07
1

No, this is not a zero-day. There is no evidence that this vulnerability has being exploited in any attacks before the patch. It's just a new vulnerability in Firefox, demonstrated during Pwn2Own.

Valery Marchuk
  • 546
  • 2
  • 6