We knew about Java’s “Write once, run everywhere” mantra which very quickly turned into jokes like “Write once, pwn everywhere”. But with the latest Firefox zero-day, Oracle isn’t the only one that faces this problem.
Firefox, much like Java, can be found across various platforms and is quite a popular choice for people that run Linux. In fact, the Tor Browser itself uses Firefox.
Granted, the latest exploit against Mozilla’s browser, was intended for people running Windows:
Not too surprisingly, this prompted an almost immediate reaction from the Tor Project to advise people to stop using Microsoft’s Operating System.
While there is some truth in there, would it really be enough?
Case in point, this specific Firefox vulnerability is actually cross-platform, although from our tests, code execution only seems to happen on Windows.
Here’s a video showing the Firefox flaw on Apple’s Mac OS X. The browser crashes, and even if no actual code execution happened, the possibility is not out of this world.
While Mozilla has adopted a fast release cycle with automatic updates, people can be running older (but still supported) versions, as is the case with this Firefox 17 Extended Support Release (ESR).
Having to maintain multiple versions is probably one of software developers’ worst headaches. The reality is that many enterprises cannot readily upgrade that often due to many applications’ constraints to particular configurations.
This is definitely an issue as software vendors will naturally tend to focus their efforts on the latest version of the software they make, and that includes bug fixes and security improvements.
Jerome Segura (@jeromesegura) is Senior Security Researcher at Malwarebytes.