Critical flaw found in Firefox
Critical Flaw Found in Firefox
Matthew Broersma, Techworld.com
Mon May 9,11:00 AM ET
Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.
The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.
A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.
The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.
In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.
Two Vulnerabilities Found
The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.
The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.
Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.
"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.
Active Topics
- Buy local this holiday season (27)
- G'vanni's (41)
- Ice Skating (0)
- Draught lists for Dive and Abbey? (8)
- Remember this one? (7)
- The old Above Club/Coco Bean room... (0)
- Great Read: Anarchist Punker Captains a Raft Down the Mississippi (0)
- Now What!!! (49)
- What I want for 2009 (5)
- IS IT POSSIBLE?? FINALLY IN WORCESTER? (57)
- Cancelled. (28)
- your picks of 2008 (13)
- Artisan Bread!! (7)
- This Week in the Weekly Shuffle: Cowboy Matt, exhibit at Booklovers' Gourmet, Doctor Robert Video and Club notes (0)
- The New Year's Eve Story (30)
- 1 of 377
- ››
Related Topics
Re: Critical flaw found in Firefox
however;
Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a "proof of concept" has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript.
http://www.mozilla.org/security/#Security_Alerts
www.duncanarsenault.com
Re: Critical flaw found in Firefox
I am sure there will be a update within moments but if you are really paranoid you can use this workaround.
Mozilla Foundation Security Advisory 2005-42
Title: Code execution via (tammairanslip) IconURL
Severity: Critical
Reporter: Paul (Greyhats)
Products: Firefox, Mozilla Suite
Description
Two vulnerabilities were found in Mozilla Firefox that combined allow an attacker to run arbitrary code. The Mozilla Suite is only partially vulnerable.
By causing a frame to navigate back to a previous (tammairanslip) url an attacker can inject script into any site. This could be used to steal cookies or sensitive data from that site, or to perform actions on behalf of that user. (Affects Firefox and the Suite).
A separate vulnerability in the Firefox install confirmation dialog allows an attacker to execute arbitrary code by using a (tammairanslip) URL as the package icon. By default only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability described above enables this to be exploited from any malicious site.
The Mozilla Foundation has modified the update servers to prevent their use in this attack.
Workaround
The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit. Users who have added other extension or theme sites to the software installation whitelist should remove them until a fixed version of Firefox is available.
1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
4. Click the "Remove All Sites" button
5. Click "OK"
To prevent the script injection exploit from stealing cookies or other sensitive data disable Javascript before visiting untrustworthy sites. In Firefox:
1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Uncheck the "Enable Javascript" checkbox
4. Click "OK"
In the Mozilla Suite:
1. Select the "Preferences" dialog from the "Edit" menu
2. Click the tiny icon next to the "Advanced" item in the left pane to expand the list
3. Select "Scripts and Plug-ins"
4. Uncheck the "Navigator" checkbox under "Enable Javascript for"
5. Click "OK"
Re-enable Javascript for trustworthy sites that require it.
http://www.mozilla.org/security/announce/mfsa2005-42.html