News Stay informed about the latest enterprise technology news and product updates.

Mozilla fixes drag-and-drop flaw

Attackers could exploit Thunderbird bug to plant malware on your computer.

Mozilla has fixed a drag-and-drop vulnerability in Thunderbird that attackers could exploit to plant malware on...

targeted machines. The vendor addressed the same problem in Firefox and the Mozilla Suite earlier this month.

"Images dragged and dropped from a Web page to the desktop preserved their original name and extension. If this were an executable extension then the file would be executed rather than opened in a media application," Mozilla said in an advisory.

Danish security firm Secunia said an attacker could exploit this condition to plant malware on targeted systems. Secunia said the problem has been addressed in version 1.0.2 of the Thunderbird e-mail service. Mozilla said the problem has also been fixed in Firefox 1.0.1 and Mozilla 1.7.6.

Mozilla did note in its advisory that an attacker would have to put some effort into exploiting this security hole.

More information

Mozilla fixes security hole

Mozilla addresses fresh flaws

"In order to exploit this, the attacker would have to construct a valid image that was also a valid executable," the advisory said. "The attacker must convince the user to drag the image to their desktop and sometime later double click on it without noticing it has an executable icon rather than the expected media-type image."

As a workaround, Mozilla recommended users not hide Windows extensions. "Be cautious downloading files from untrusted sites," the advisory added.

Besides the drag-and-drop issue, Secunia said Firefox 1.0.1 and Mozilla 1.7.6 address other vulnerabilities reported earlier:

  • A missing URI handler validation issue when dragging a "javascript:" URL to another tab can be exploited to launch malicious HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging a malicious link to another tab.
  • An error in the restriction of URI handlers loaded via plug-ins can be exploited to link to certain restricted URIs.

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.