Firefox 47.0.1 Autopwn2 Fix

TL;DR

The Browser Autopwn2 exploit doesn’t work against Firefox 47.0.1 due to changes in the browser’s security architecture and JavaScript engine. This guide explains why, and how to verify if your system is vulnerable (it likely isn’t with this version of Firefox).

Understanding the Problem

Browser Autopwn2 relies on exploiting vulnerabilities within a web browser’s JavaScript engine and rendering process. It typically involves injecting malicious code into a webpage that then executes harmful actions on your computer. Firefox 47.0.1 introduced several security enhancements that block this type of attack.

Why Autopwn2 Fails on Firefox 47.0.1

1. Content Security Policy (CSP): Firefox 47.0.1 has a stricter default CSP, making it harder to inject and execute arbitrary JavaScript code from untrusted sources.
2. JavaScript Engine Updates: The SpiderMonkey JavaScript engine in Firefox 47.0.1 includes security fixes that address known vulnerabilities Autopwn2 exploits.
3. Sandboxing Improvements: Enhanced sandboxing isolates the browser’s processes, limiting the damage a successful exploit can cause.

Verifying Vulnerability (and Likely Finding None)

While a full vulnerability assessment requires specialized tools, you can perform basic checks to confirm Autopwn2’s ineffectiveness.

Step 1: Check Firefox Version

Ensure you are actually running Firefox 47.0.1:

about:support

Type this into the address bar and press Enter. The ‘Application Basics’ section will show your version.

Step 2: Attempt a Simple XSS Test (as a sanity check)

This won’t confirm Autopwn2 specifically, but shows if basic JavaScript injection is blocked:

1. Create a simple HTML file (e.g., test.html) with the following content:

<!DOCTYPE html>
<html>
<head><title>XSS Test</title></head>
<body>
<input type="text" onfocus="alert('XSS!')">
</body>
</html>

2. Open test.html in Firefox 47.0.1.
3. If the alert box pops up, your browser’s XSS protection is disabled or weak (unlikely with this version). If it doesn’t pop up, basic injection is blocked.

Step 3: Run Autopwn2 (Expect Failure)

If you have the Autopwn2 tool available, attempt to run it against Firefox 47.0.1. You should see errors indicating that the exploit failed.

The specific error messages will depend on the Autopwn2 implementation, but common ones include:

• “Exploit blocked by Content Security Policy”
• “JavaScript engine patch detected”
• “Unable to inject code”

Mitigation (You Probably Don’t Need To)

1. Keep Firefox Updated: The best defense is always the latest version of your browser. Automatic updates are highly recommended.
2. Use a Strong Firewall: A firewall can block malicious network connections initiated by an exploit.
3. Be Careful What You Click: Avoid clicking on suspicious links or visiting untrusted websites.

Conclusion

Firefox 47.0.1 is highly resistant to Browser Autopwn2 due to its security enhancements. While it’s always good to be vigilant, the risk of exploitation with this version of Firefox is significantly reduced.