Mozilla fixes drag-and-drop flaw

Article

Mozilla fixes drag-and-drop flaw

Mozilla has fixed a drag-and-drop vulnerability in Thunderbird that attackers could exploit to plant malware on targeted machines. The vendor addressed the same problem in Firefox and the Mozilla Suite earlier this month.

"Images dragged and dropped from a Web page to the desktop preserved their original name and extension. If this were an executable extension then the file would be executed rather than opened in a media application," Mozilla said in an

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

advisory.

Danish security firm Secunia said an attacker could exploit this condition to plant malware on targeted systems. Secunia said the problem has been addressed in version 1.0.2 of the Thunderbird e-mail service. Mozilla said the problem has also been fixed in Firefox 1.0.1 and Mozilla 1.7.6.

Mozilla did note in its advisory that an attacker would have to put some effort into exploiting this security hole.

More information

Mozilla fixes security hole

Mozilla addresses fresh flaws

"In order to exploit this, the attacker would have to construct a valid image that was also a valid executable," the advisory said. "The attacker must convince the user to drag the image to their desktop and sometime later double click on it without noticing it has an executable icon rather than the expected media-type image."

As a workaround, Mozilla recommended users not hide Windows extensions. "Be cautious downloading files from untrusted sites," the advisory added.

Besides the drag-and-drop issue, Secunia said Firefox 1.0.1 and Mozilla 1.7.6 address other vulnerabilities reported earlier:

  • A missing URI handler validation issue when dragging a "javascript:" URL to another tab can be exploited to launch malicious HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging a malicious link to another tab.
  • An error in the restriction of URI handlers loaded via plug-ins can be exploited to link to certain restricted URIs.