Critical Flaw Found in Firefox

WoodysGirl

U.N.I.T.Y
Staff member
Messages
79,281
Reaction score
45,652
CowboysZone ULTIMATE Fan
Just FYI...
---------
Matthew Broersma, Techworld.com Mon May 9,11:00 AM ET

Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.

The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

Two Vulnerabilities Found

The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.

http://news.yahoo.com/s/pcworld/120756
 

BrAinPaiNt

Mike Smith aka Backwoods Sexy
Staff member
Messages
78,654
Reaction score
43,000
CowboysZone ULTIMATE Fan
Just getting ready to post this but you beat me to it.
 

WoodysGirl

U.N.I.T.Y
Staff member
Messages
79,281
Reaction score
45,652
CowboysZone ULTIMATE Fan
BrAinPaiNt said:
Just getting ready to post this but you beat me to it.
Itchy posting finger...:)

I was actually looking up something else, when I saw it and thought you guys might want to know.
 

adbutcher

K9NME
Messages
12,287
Reaction score
2,910
Woody'sGirl said:
Just FYI...
---------
Matthew Broersma, Techworld.com Mon May 9,11:00 AM ET

Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.

The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

Two Vulnerabilities Found

The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.

http://news.yahoo.com/s/pcworld/120756
Ahem....this doesn't look like school work to me. :D
 

trickblue

Not Old School...Old Testament...
Messages
31,439
Reaction score
3,961
The beauty of Firefox is that it will literally be fixed within a few days...

If this were Internet Explorer this would take several weeks to correct...

Of course... while you would wait for Microsoft to fix it you could enjoy 100's of pop-up ads for your reading pleasure... :D
 

adbutcher

K9NME
Messages
12,287
Reaction score
2,910
trickblue said:
The beauty of Firefox is that it will literally be fixed within a few days...

If this were Internet Explorer this would take several weeks to correct...

Of course... while you would wait for Microsoft to fix it you could enjoy 100's of pop-up ads for your reading pleasure... :D
I like FF but IE is no where nearly as bad as it is made out to be. In fact, I haven't had any problems with pop-ups, spyware, or etc in some time now.
 

Rocky

New Member
Messages
777
Reaction score
0
Workaround
The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit. Users who have added other extension or theme sites to the software installation whitelist should remove them until a fixed version of Firefox is available.

1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
4. Click the "Remove All Sites" button
5. Click "OK"

To prevent the script injection exploit from stealing cookies or other sensitive data disable Javascript before visiting untrustworthy sites. In Firefox:

1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Uncheck the "Enable Javascript" checkbox
4. Click "OK"

In the Mozilla Suite:

1. Select the "Preferences" dialog from the "Edit" menu
2. Click the tiny icon next to the "Advanced" item in the left pane to expand the list
3. Select "Scripts and Plug-ins"
4. Uncheck the "Navigator" checkbox under "Enable Javascript for"
5. Click "OK"

Re-enable Javascript for trustworthy sites that require it.



http://www.mozilla.org/security/announce/mfsa2005-42.html
 

Khartun

AmarilloCowboyFan
Messages
3,133
Reaction score
1,682
The more popular FF gets the more this will happen.
It looks as though it was just a security group that identified the problem and not a hacker though. Hackers probably still aren't really targeting the browser much.
 

CowboysFan02

Degree or Bust
Messages
810
Reaction score
0
trickblue said:
The beauty of Firefox is that it will literally be fixed within a few days...

If this were Internet Explorer this would take several weeks to correct...

Of course... while you would wait for Microsoft to fix it you could enjoy 100's of pop-up ads for your reading pleasure... :D

Speaking of a few days 1.04 is now online and ready for you to download. :D
 

adbutcher

K9NME
Messages
12,287
Reaction score
2,910
jimmy40 said:
What's the deal with Kenny Borrough riding a football?
LOL, not Kenny. Jus a generic dude. If I am not mistaken this image was orinally on a T-shirt or was it from quickdraw :). Anyway I found it and made the necessary adjustments to fit my sig.
 
Top