Security Bytes: Mozilla fixes 'extremely critical' flaws

In other news, Cisco fixes flaw; Massachusetts takes aim at spam ring; and Cisco confirms teen detained in investigation of its stolen source code.

Fix in for Firefox flaws
Mozilla has fixed the Firefox flaws that came to light over the weekend with version 1.0.4, now available on its download page. Exploit code has been posted for the vulnerabilities, prompting Danish security firm Secunia to label them "extremely critical." The problems, confirmed in Firefox 1.0.3, are that:

  • IFRAME JavaScript URLs are not properly protected from being executed in context of another URL in the history list. Attackers can exploit this "to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site," the Secunia advisory said.
  • Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges using a specially crafted JavaScript URL.

When combined the vulnerabilities could be exploited to launch malicious code, Secunia said.

Flaw fixed in Cisco Firewall Services Module
Cisco Systems has issued free software to fix a security hole in its Firewall Services Module, a high-speed, integrated firewall program for Catalyst 6500 series switches and Cisco 7600 series routers. The problem exists "when URL, FTP or HTTPS filtering is enabled in which inbound TCP packets can bypass access-list entries intended to explicitly filter them," the San Jose, Calif.-based networking giant said in an advisory.

Massachusetts takes aim at spam ring
An Internet spam ring allegedly operating in the Boston area is now in the crosshairs of Massachusetts Attorney General Tom Reilly. The Reuters news agency reported Wednesday that Reilly filed suit against the ring using information supplied by Microsoft, which has stepped up antispam efforts in recent months. "The most important thing is that we're asking a court today to shut them down to prevent any further victims," Reilly told reporters at a news conference.

Reilly and Microsoft said the lawsuit against seven individuals and two companies details efforts to promote various products through "hundreds of millions" of spam e-mail messages sent to people worldwide from domain names registered in Monaco, Australia and France, Reuters reported. Leo Kuvayev was named as the leader of the spam group and the suit said his operation worked out of Boston and Russia. "This is one of the most serious spam violators that we have seen on the Internet," Microsoft General Counsel Brad Smith told reporters.

Teen detained in code theft probe
Cisco Systems has confirmed that Swedish investigators are detaining a 16-year-old who may be connected to the theft of its source code last year. "We are aware that a person has been detained in Sweden related to the IOS source code theft and are encouraged by this action," the San Jose, Calif.-based networking giant said in a statement. Police in Uppsala, a university town north of Stockholm, Sweden, said they've been contacted by the FBI about a teen already in trouble with the law in Sweden over allegations he hacked into university computers, the Los Angeles Times reported. The New York Times reported earlier this week that the Cisco theft was part of a larger attack targeting computer systems run by U.S. universities and government agencies.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close