FireFox vulnerabilities FYI

D

Dick Hazeleger

Hi to all

Just got a message in from both the Dutch CERT team and Secunia, saying:

http://secunia.com/advisories/15292/

CRITICAL:
Extremely critical

IMPACT:
Cross Site Scripting, System access

WHERE:
From remote

SOFTWARE:
Mozilla Firefox 1.x
http://secunia.com/product/4227/

DESCRIPTION:
Two vulnerabilities have been discovered in Firefox, which can be
exploited by malicious people to conduct cross-site scripting attacks
and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly
protected from being executed in context of another URL in the
history list. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an arbitrary
site.

2) Input passed to the "IconURL" parameter in
"InstallTrigger.install()" is not properly verified before being
used. This can be exploited to execute arbitrary JavaScript code with
escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install
software (default sites are "update.mozilla.org" and
"addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute
arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other
versions may also be affected.

SOLUTION:
Disable JavaScript.

Regards
Dick
 
P

(ProteanThread)

Dick said:
Hi to all

Just got a message in from both the Dutch CERT team and Secunia, saying:

http://secunia.com/advisories/15292/

CRITICAL:
Extremely critical

IMPACT:
Cross Site Scripting, System access

WHERE:
From remote

SOFTWARE:
Mozilla Firefox 1.x
http://secunia.com/product/4227/

DESCRIPTION:
Two vulnerabilities have been discovered in Firefox, which can be
exploited by malicious people to conduct cross-site scripting attacks
and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly
protected from being executed in context of another URL in the
history list. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an arbitrary
site.

2) Input passed to the "IconURL" parameter in
"InstallTrigger.install()" is not properly verified before being
used. This can be exploited to execute arbitrary JavaScript code with
escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install
software (default sites are "update.mozilla.org" and
"addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute
arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other
versions may also be affected.

SOLUTION:
Disable JavaScript.

Regards
Dick
Click to expand...


Sounds more like a Java vulnerability than a firefox one, doesn't it?
 
E

elaich

Hi to all

Just got a message in from both the Dutch CERT team and Secunia, saying:

http://secunia.com/advisories/15292/

CRITICAL:
Extremely critical

IMPACT:
Cross Site Scripting, System access
Click to expand...

Untick "allow web sites to install software."

Wait for 1.04.

With every one of these vulnerabilities found and fixed, Firefox becomes a
more secure and attractive browser. If you use IE or Netscape, you'll wait
till the cows come home to get it fixed.
 
?

=?ISO-8859-1?Q?=BBQ=AB?=

elaich said:
Untick "allow web sites to install software."
Click to expand...

Yeah, or just make sure no malicious sites are in the whitelist which
allows installation; unless the user has added malicious sites to the
list, Firefox is still immune.
Wait for 1.04.
Click to expand...

It'll be interesting to see how fast this comes. I guess Secunia made
it public because exploit code already exists, but it seems the Firefox
security team has not yet made the bug public. (Maybe they already
have, but I couldn't find it at bugzilla.mozilla.org.)
 
E

elaich

Yeah, or just make sure no malicious sites are in the whitelist which
allows installation; unless the user has added malicious sites to the
list, Firefox is still immune.
Click to expand...

I'm not sure this can be done with Javascript, but one person on the
Firefox forums reported automatic installation of malware by Java. No
permission was asked, and the user was not aware of anything being
installed. Good reason to have Java off by default. Maybe it's time to have
Javascript off by dfeafult as well.
 
B

Ben Wylie

If you have java off, do you receive any indication that a site needs java,
or wants to use java when you visit it?
I hate it when i come to a page which just doesn't work and i don't know why
it is failing.

Thanks
Ben
 
M

Mel

»Q« said:
Yeah, or just make sure no malicious sites are in the whitelist which
allows installation; unless the user has added malicious sites to the
list, Firefox is still immune.
Click to expand...


Why? Wouldn't the cross site scripting vulnerability <1)> allow any malicious
site to run in the context of a whitelisted site?

Unticking the suggested option would seem to be the best solution,
although until there's a proper fix users may be vulnerable to phishing
attempts using this flaw.





1) The problem is that "IFRAME" JavaScript URLs are not properly
protected from being executed in context of another URL in the
history list. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an arbitrary
site.
 
M

me

If you have java off, do you receive any indication that a
site needs java, or wants to use java when you visit it?
I hate it when i come to a page which just doesn't work and
i don't know why it is failing.

Thanks
Ben
Click to expand...
Yes. That is, pages worth visiting will say so.
If you don't, the page/and or the whole site isn't you
attention. ;)

J
 
?

=?ISO-8859-1?Q?=BBQ=AB?=

Why? Wouldn't the cross site scripting vulnerability <1)> allow
any malicious site to run in the context of a whitelisted site?
Click to expand...

You're right, it would. I misread the nature of the privelege
escalation.
 
A

Aaron

Yeah, or just make sure no malicious sites are in the whitelist which
allows installation; unless the user has added malicious sites to the
list, Firefox is still immune.
Click to expand...

Apparantly , even the default sites are harmless now, as the people at UMO
have redirected the default url to another site. Just don't add this new
url to the white list!

But as pointed out below, the cross script scripting exploit still allows
fairly dangerous actions such as stealing of cookies, phishing and whatnot,
unless Javascript is off.
 
B

Brian

Dick said:
SOFTWARE:
Mozilla Firefox 1.x

SOLUTION:
Disable JavaScript.
Click to expand...

If disabling JavaScript is the solution, then Firefox is NOT the
only browser affected... ANY browser using JavaScript is affected!
 
?

=?ISO-8859-1?Q?=BBQ=AB?=

If disabling JavaScript is the solution, then Firefox is NOT the
only browser affected... ANY browser using JavaScript is affected!
Click to expand...

That doesn't follow. Implemetations of JavaScript vary from browser
to browser.
 
E

elaich

Brian said:
Why? Even if ticked, you are still prompted before any sites can
install anything.
Click to expand...

Because a Java vulnerability could install malware without user permission.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Google Chrome Multiple Vulnerabilities ... patch is auto-updated 0
Yahoo! Messenger ActiveX Control Buffer Overflows 0
[OT] MS Windows Color Management Module Buffer Overflow 1
Windows 8 is the most vulnerable Windows OS -> you can thank Adobe Flashfor that 1
Secunia 7
Microsoft PowerPoint Code Execution Vulnerability 12
4 NEW VULNERABILITIES DISCOVERED BY SECUNIA! 1
Advisories and vulnerability comparison: Windows 98(se) vs Windows XPhome 33

Top