Article

Mozilla fixes drag-and-drop flaw

Bill Brenner

Mozilla has fixed a drag-and-drop vulnerability in Thunderbird that attackers could exploit to plant malware on targeted machines. The vendor addressed the same problem in Firefox and the Mozilla Suite earlier this month.

"Images dragged and dropped from a Web page to the desktop preserved their original name and extension. If this were an executable extension then the file would be executed rather than opened in a media application," Mozilla said in an

    Requires Free Membership to View

advisory.

Danish security firm Secunia said an attacker could exploit this condition to plant malware on targeted systems. Secunia said the problem has been addressed in version 1.0.2 of the Thunderbird e-mail service. Mozilla said the problem has also been fixed in Firefox 1.0.1 and Mozilla 1.7.6.

Mozilla did note in its advisory that an attacker would have to put some effort into exploiting this security hole.

More information

Mozilla fixes security hole

Mozilla addresses fresh flaws

"In order to exploit this, the attacker would have to construct a valid image that was also a valid executable," the advisory said. "The attacker must convince the user to drag the image to their desktop and sometime later double click on it without noticing it has an executable icon rather than the expected media-type image."

As a workaround, Mozilla recommended users not hide Windows extensions. "Be cautious downloading files from untrusted sites," the advisory added.

Besides the drag-and-drop issue, Secunia said Firefox 1.0.1 and Mozilla 1.7.6 address other vulnerabilities reported earlier:

  • A missing URI handler validation issue when dragging a "javascript:" URL to another tab can be exploited to launch malicious HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging a malicious link to another tab.
  • An error in the restriction of URI handlers loaded via plug-ins can be exploited to link to certain restricted URIs.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: