Malcode writers could exploit two serious security holes in Firefox to launch sinister code and conduct cross-site scripting attacks, security experts warned Monday. Exploit code is in the wild and there are no patches. But there are workarounds.
Danish security firm Secunia labeled the vulnerabilities "extremely critical" in an advisory posted over the weekend. Asked why the flaws received its highest risk rating, Secunia CTO Thomas Kristensen said by e-mail, "Primarily the fact that exploit code was published before a patch was released. The exploit [makes] it possible to compromise the user's system."
The problems are that:
When combined the vulnerabilities could be exploited to launch malicious code, Secunia said. The company confirmed the flaws in Firefox 1.0.3 and said other versions could be affected.
"Remote code execution in a browser, especially without the user's interaction is very dangerous, as any misspelling in a URL, any result from a search engine or any hacked server can infect people with all sorts of malware," Swa Frantzen, a handler for the Bethesda, Md.-based SANS
Of the second option, Kristensen said, "[Mozilla has] made a temporary fix by changing the behavior of the default software installation sites… the exploit requires a working site to be listed in the 'Allow Web sites to install software' option."
He added: "This change effectively breaks the exploit. However, if a user has added another site to the "Allow Web sites to install software" option and the attacker knows the URL then the exploit is still working."
The Internet Storm Center is recommending users take the second option.