Malcode writers could exploit two serious security holes in Firefox to launch sinister code and conduct cross-site scripting attacks, security experts warned Monday. Exploit code is in the wild and there are no patches. But there are workarounds.
Danish security firm Secunia labeled the vulnerabilities "extremely critical" in an
The problems are that:
When combined the vulnerabilities could be exploited to launch malicious code, Secunia said. The company confirmed the flaws in Firefox 1.0.3 and said other versions could be affected.
"Remote code execution in a browser, especially without the user's interaction is very dangerous, as any misspelling in a URL, any result from a search engine or any hacked server can infect people with all sorts of malware," Swa Frantzen, a handler for the Bethesda, Md.-based SANS
Of the second option, Kristensen said, "[Mozilla has] made a temporary fix by changing the behavior of the default software installation sites… the exploit requires a working site to be listed in the 'Allow Web sites to install software' option."
He added: "This change effectively breaks the exploit. However, if a user has added another site to the "Allow Web sites to install software" option and the attacker knows the URL then the exploit is still working."
The Internet Storm Center is recommending users take the second option.