Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla.
The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.”
The exploit works against Firefox v 3.6 on Windows XP and VISTA.
If Legerov hasn’t given Mozilla details of the hack, as one would under the rules of responsible disclosure, it raises the question: “who does he sell his software to?”
There don’t seem to be any more details of the vulnerability available. Expectations are that the exploit will be more widely available in the wild shortly. Vulnerability research firm Secunia gives general sort of advice for users:
“Do not visit untrusted websites or follow untrusted links.”