Article

Critical Firefox flaws targeted by exploit code

Bill Brenner

Here's a wake-up call for those who ditched Internet Explorer for Firefox, believing it's more secure than Microsoft's much-attacked browser:

Proof-of-concept code targeting security holes in Firefox and the Mozilla Suite have started appearing on public mailing lists. An attacker could exploit the flaws to launch malicious code. But users can protect themselves by updating to Firefox 1.0.3 and Mozilla Suite 1.7.7.

"These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7," Mikko Hypponen, director of AV research for Finish security firm F-Secure Corp., said in the lab's daily

    Requires Free Membership to View

blog. "We advise all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen[ing] on your computer just by surfing to the wrong site."
Read more about Firefox

Mozilla adds to its growing patch pile

Attacking the alternative

The Bethesda, Md.-based SANS Internet Storm Center Web site also reported that two proof-of-concept examples appeared over the weekend. The site echoed Hypponen's advice, saying, "The little green update button in Firefox is your friend."

Specifically, the concept code targets:

A glitch where the URL of a Web site "favicons" icon is not verified before being changed through JavaScript. An attacker can exploit this to launch malicious code with escalated privileges using a specially crafted "javascript:" URI. According to Favicon.com, a favicon is a customizable, multi-resolution image included on nearly all professionally developed sites.

An issue in the "_search target" function sites can use to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to open a privileged page [such as about:config] then inject script using a "javascript:" URL. This could be used to install malicious code or steal data without user interaction.

Besides fixing these flaws, Firefox 1.0.3 and Mozilla Suite 1.7.7 close several other security holes. According to Danish security firm Secunia, which labeled all the vulnerabilities as highly critical, other problems are that:

  • Attackers can launch malicious code by exploiting an input validation error when processing the "PLUGINSPAGE" attribute of the "EMBED" tag for non-installed plugins.
  • Blocked popups opened through the GUI graphical interface incorrectly run with "chrome" privileges. Attackers can exploit this to launch malicious code using a specially crafted "javascript:" URI.
  • The global scope of a window or tab in certain situations isn't cleaned properly before navigating to a new Web site. Attackers can exploit it to launch malicious code in a user's browser session.
  • The action URL of a search plugin isn't verified before being used to perform a search. Attackers can exploit it to launch malicious code in a user's browser session.
  • Attackers can exploit input validation errors when handling parameters of invalid types passed to certain "InstallTrigger" and "XPInstall" related objects via JavaScript to launch malicious code.
  • Attackers can exploit the fact that certain pieces of privileged UI code don't properly validate DOM nodes from the content window to launch malicious code.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: