News Stay informed about the latest enterprise technology news and product updates.

Critical Firefox flaws targeted by exploit code

Proof-of-concept code targets Firefox security holes. But the flaws are fixed in the latest version of the browser and Mozilla Suite.

Here's a wake-up call for those who ditched Internet Explorer for Firefox, believing it's more secure than Microsoft's much-attacked browser:

Proof-of-concept code targeting security holes in Firefox and the Mozilla Suite have started appearing on public mailing lists. An attacker could exploit the flaws to launch malicious code. But users can protect themselves by updating to Firefox 1.0.3 and Mozilla Suite 1.7.7.

"These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7," Mikko Hypponen, director of AV research for Finish security firm F-Secure Corp., said in the lab's daily blog. "We advise all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen[ing] on your computer just by surfing to the wrong site."

Read more about Firefox

Mozilla adds to its growing patch pile

Attacking the alternative

The Bethesda, Md.-based SANS Internet Storm Center Web site also reported that two proof-of-concept examples appeared over the weekend. The site echoed Hypponen's advice, saying, "The little green update button in Firefox is your friend."

Specifically, the concept code targets:

A glitch where the URL of a Web site "favicons" icon is not verified before being changed through JavaScript. An attacker can exploit this to launch malicious code with escalated privileges using a specially crafted "javascript:" URI. According to, a favicon is a customizable, multi-resolution image included on nearly all professionally developed sites.

An issue in the "_search target" function sites can use to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to open a privileged page [such as about:config] then inject script using a "javascript:" URL. This could be used to install malicious code or steal data without user interaction.

Besides fixing these flaws, Firefox 1.0.3 and Mozilla Suite 1.7.7 close several other security holes. According to Danish security firm Secunia, which labeled all the vulnerabilities as highly critical, other problems are that:

  • Attackers can launch malicious code by exploiting an input validation error when processing the "PLUGINSPAGE" attribute of the "EMBED" tag for non-installed plugins.
  • Blocked popups opened through the GUI graphical interface incorrectly run with "chrome" privileges. Attackers can exploit this to launch malicious code using a specially crafted "javascript:" URI.
  • The global scope of a window or tab in certain situations isn't cleaned properly before navigating to a new Web site. Attackers can exploit it to launch malicious code in a user's browser session.
  • The action URL of a search plugin isn't verified before being used to perform a search. Attackers can exploit it to launch malicious code in a user's browser session.
  • Attackers can exploit input validation errors when handling parameters of invalid types passed to certain "InstallTrigger" and "XPInstall" related objects via JavaScript to launch malicious code.
  • Attackers can exploit the fact that certain pieces of privileged UI code don't properly validate DOM nodes from the content window to launch malicious code.

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.