Is Firefox vulnerable to MS15-078 on an unpatched system (such as XP)?
Windows Adobe Type Manager Library vulnerability: https://technet.microsoft.com/library/security/MS15-078 http://www.theregister.co.uk/2015/07/20/windows_microsoft_emergency_patch/
All Replies (6)
This exploit is not exploited through Firefox specifically. To quote the exploit:
"There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts."
Running any system that is not support for it's vendor (like Windows XP) is not safe, no matter what browser you use (although using a browser that receives security updates is better than one without). Using such a system is at your own risk and you should never do anything on that system that could cost you if it was compromised (banking, online shopping, etc.). I strongly recommend you purchase a new computer with Windows 10, or update to Windows 10 if your system supports it.
Or if you are on a budget there are many Linux distros you could dual boot with for free like openSUSE or Ubuntu/Xubuntu/Lubuntu. http://distrowatch.com
This way you can have a more secure system especially compared to Windows XP which was made End Of Life April 2014.
Depending on how good your cpu and amount of ram is you may want to use something lighter like XFCE, MATE, LXDE vs say Gnome 3.0 or KDE.
I used to have a old PC with P4 2.8HT and 1GB Ram running openSUSE and XFCE on it rather smoothly before PSU sparked and smoked after a power failure.
Modified
Did you try the "Workaround" in the article of renaming the vulnerable DLL file? https://technet.microsoft.com/library/security/ms15-078#ID0EKIAE
That doesn't fix the problem, but it would prevent its exploitation, at the cost of not being able to use OpenType fonts in applications that require that DLL...
I am asking because I know a lot of people running XP with Firefox and an antivirus program, on old desktop PCs. None have had any problems, but this vulnerability sounds more serious than any other I've read about.
There's some discussion of the question of Firefox's vulnerability here, but different opinions: https://www.reddit.com/r/netsec/comments/3dyuwv/ms15078_remote_code_execution_in_all_versions_of/
Here https://news.ycombinator.com/item?id=9917595 it is said: Both Chrome and Firefox pass web fonts through OTS [1] before rendering them, so hopefully that mitigates the threat. [1] https://github.com/khaledhosny/ots
I hope that someone who knows (maybe a Firefox developer) can answer the question. It's relevant to a lot of people in practice: XP still has 12% usage!
While Firefox itself may or may not be a vector (I believe it could be), the vulnerability still exists and can be exploited in ways not requiring a web browser. Using an old, unsupported OS brings risks, as I said. There is only so secure you can be when the underlying OS is full of publicly disclosed holes.
tower99 said
It's relevant to a lot of people in practice: XP still has 12% usage!
Until ISP's start blocking EOL operating systems like WinXP as bandwidth demands increase and the ISP starts "reading" how much of their traffic is from malware and other exploits that a more modern operating system aren't subject to. Keep in mind that every PC on the internet is part of a large network, which part of a larger network, and so on until that PC huts the world wide web.
Also, much of that 12% is "internet connected devices" such as ATM's which run a variation of WinXP and have a similar UA so they are "identified" as WinXP? Basically, 30 year technology from the early 1980's that should have been upgraded at least 15 years ago when W2K software patches were needed. They should "replaced" the hardware rather than "patch" the software while keeping the same old card swipe interface. And it ain't like the NASA Space Shuttle from the same era - where an ATM user might risk getting "blown up" when the ATM is out of cash. Or like vehicle air bags which were initially in the 2nd stage of development in the early 1980's - now blowing shrapnel without even needing to be activated in a major collision. MS is still providing updates for those ATM's until the change to "smart cards" and new ATM devices are rolled out across the US, and maybe some 3rd world country's still stuck in the 20th century, too.
As far as reaching a Mozilla developer - see this: https://www.mozilla.org/en-US/about/forums/#general-development
This forum is for end user support. The developers rarely "grace us with their presence". And IMO, they surely aren't going to enter a discussion about the usage level of EOL operating systems.
Just thank Mozilla for not ending the limited amount of "support" that Mozilla still provides for WinXP, as Google is about to do with Chrome. Or like what happened with support for Win 2000 with Firefox 13.0 ...