Here's a wake-up call for those who ditched Internet Explorer for Firefox, believing it's more secure than Microsoft's much-attacked browser:
Proof-of-concept code targeting security holes in Firefox and the Mozilla Suite have started appearing on public mailing lists. An attacker could exploit the flaws to launch malicious code. But users can protect themselves by updating to Firefox 1.0.3 and Mozilla Suite 1.7.7.
"These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7," Mikko Hypponen, director of AV research for Finish security firm F-Secure Corp., said in the lab's daily blog. "We advise all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen[ing] on your computer just by surfing to the wrong site."
The Bethesda, Md.-based SANS Internet Storm Center Web site also reported that two proof-of-concept examples appeared over the weekend. The site echoed Hypponen's advice, saying, "The little green update button in Firefox is your friend."
Specifically, the concept code targets:
Besides fixing these flaws, Firefox 1.0.3 and Mozilla Suite 1.7.7 close several other security holes. According to Danish security firm Secunia, which labeled all the vulnerabilities as highly critical, other problems are that:
- Attackers can launch malicious code by exploiting an input validation error when processing the "PLUGINSPAGE" attribute of the "EMBED" tag for non-installed plugins.
- The global scope of a window or tab in certain situations isn't cleaned properly before navigating to a new Web site. Attackers can exploit it to launch malicious code in a user's browser session.
- The action URL of a search plugin isn't verified before being used to perform a search. Attackers can exploit it to launch malicious code in a user's browser session.
- Attackers can exploit the fact that certain pieces of privileged UI code don't properly validate DOM nodes from the content window to launch malicious code.