Mozilla Firefox Two Vulnerabilities Extremely critical ( Release

Discussion in 'Firefox' started by Ron, May 9, 2005.

  1. Ron

    Ron Guest

    Here is the site for complete information
    http://secunia.com/advisories/15292/


    Mozilla Firefox Two Vulnerabilities

    Secunia Advisory: SA15292 Print Advisory
    Release Date: 2005-05-08

    Critical:
    Extremely critical
    Impact: Cross Site Scripting
    System access
    Where: From remote
    Solution Status: Unpatched

    Software: Mozilla Firefox 1.x

    Select a product and view a complete list of all Patched/Unpatched
    Secunia advisories affecting it.

    Description:
    Two vulnerabilities have been discovered in Firefox, which can be
    exploited by malicious people to conduct cross-site scripting attacks
    and compromise a user's system.

    1) The problem is that "IFRAME" JavaScript URLs are not properly
    protected from being executed in context of another URL in the history
    list. This can be exploited to execute arbitrary HTML and script code in
    a user's browser session in context of an arbitrary site.

    2) Input passed to the "IconURL" parameter in "InstallTrigger.install()"
    is not properly verified before being used. This can be exploited to
    execute arbitrary JavaScript code with escalated privileges via a
    specially crafted JavaScript URL.

    Successful exploitation requires that the site is allowed to install
    software (default sites are "update.mozilla.org" and "addons.mozilla.org").

    A combination of vulnerability 1 and 2 can be exploited to execute
    arbitrary code.

    NOTE: Exploit code is publicly available.

    The vulnerabilities have been confirmed in version 1.0.3. Other versions
    may also be affected.

    Solution:
    Disable JavaScript.

    Provided and/or discovered by:
    john smith




    Ron...
     
    Ron, May 9, 2005
    #1
    1. Advertisements

  2. Ron

    Nate Goulet Guest

    Is it really necessary to disable Javascript?

    The article on Yahoo stated the following:

    "Mozilla Foundation said it has protected most users from the exploit
    by altering the software installation mechanism on its two whitelisted
    sites. However, users may be vulnerable if they have added other sites
    to the whitelist, it warned."

    I take that to mean that as long as you didn't change your default
    settings from FireFox's Web Features / Allow web sites to install
    software area, there is no reason to disable Javascript.

    Did I understand that correctly?

    Thanks.
     
    Nate Goulet, May 9, 2005
    #2
    1. Advertisements

  3. Ron

    Pete Guest

    OK, I disabled JavaScript.
    Let us know when it's safe to enable.
    -Pete
     
    Pete, May 9, 2005
    #3
  4. Ron

    t800 Guest

    So why instead if disabling javascript , just empty the list of sites
    that are allowed to install software AND disable that feature until
    patched ? (i have it disabled anyway already) I never liked that feature
    , sounded dangerous to begin with.

    if i do that javascript then should be relatively safe again (at least
    no remote site can install and run software on my pc) ?
     
    t800, May 10, 2005
    #4
  5. Ron

    Pete Guest

    Do you have to also disable "jave?"
    -Pete
     
    Pete, May 10, 2005
    #5
  6. Ron

    Reg Mouatt Guest


    Hi,
    Not sure if this throws any more light on the matter but it does
    recommend disabling both java and allowing web sites to install
    software.

    http://www.eweek.com/article2/0,1759,1814056,00.asp

    Reg
     
    Reg Mouatt, May 11, 2005
    #6
  7. Ron

    Moz Champion Guest

    Personally, while the exploint has been proven as possible, it takes a
    website with malicious javascript to pull it off. How long do you think
    such a site would survive? About as long as it took to email its
    webhost or ISP <g>

    You can turn off the allow websites to install software, which protects
    you against the most damageing aspect (loading arbritrary code). That
    still leaves an opening for a javascript to read some details of your
    computer, but again, any such site that would try such a thing simply
    wouldnt last too long <g>

    You understand it as I do <g>

    The fix is already in the next version (upcoming)
     
    Moz Champion, May 12, 2005
    #7
  8. Ron

    Moz Champion Guest

    How about now? <g>


    yep, the exploit is possible, but just how long do you think a website
    that took advantage of this would last? About as long as it takes to
    email its webhost or ISP!

    If you want to err on the side of caution, sure leave javascript
    disabled. Personally, I dont believe that anyone will have the temerity
    to actually launch an malicioous exploit using this. Most 'exploits'
    are never taken advantage of, once the 'fix' is 'in' or becoming available.

    the next release version will contain the fix
     
    Moz Champion, May 12, 2005
    #8
  9. Ron

    Moz Champion Guest

    NO
     
    Moz Champion, May 12, 2005
    #9
  10. Ron

    Moz Champion Guest

    Reg

    Thats incorrect.
    its says to disable Javascript and allowing web sites to install software

    Javascript is not Java
     
    Moz Champion, May 12, 2005
    #10
  11. Moz Champion uitte de volgende tekst op 12/05/2005 4:54:
    Yes, but I think you forget about all those people that can't
    distinguish google from 'the server'. I'm sure you would be fast enough
    to email the ISP, but I don't think I would recognise a malicious website...

    And how difficult is it to copy this malicious javascript to millions of
    website that only differ by one letter in their name, setting up your
    own server, and sending around some million "penis enlargement" emails
    that make you click a link to one of those sites...?

    0.02c

    H.
    --
    Hendrik Maryns

    Interesting websites:
    www.lieverleven.be (I cooperate)
    www.eu04.com European Referendum Campaign
    aouw.org The Art Of Urban Warfare
     
    Hendrik Maryns, May 12, 2005
    #11
  12. Ron

    Reg Mouatt Guest

    Thanks for that Moz Champion,
    I live and learn.

    Reg
     
    Reg Mouatt, May 13, 2005
    #12
  13. Ron

    RDL Guest

    Does Mozilla have an email system for notifying users of critical
    vulnerabilities?

    ***************************
    Replace + with - for email
     
    RDL, May 13, 2005
    #13
  14. Ron

    Moz Champion Guest

    No.

    When you download a Mozilla product you are not required to submit an
    email address
    and not all Mozilla products even DO email! Firefox for example

    To keep abreast of developments, go to http://www.mozilla.org/ and
    read the announcements or security advisories
     
    Moz Champion, May 14, 2005
    #14
  15. Ron

    RDL Guest

    If users of Firefox and other Mozilla products are going to be
    facing the same sorts of critical vulnerabilities as with
    Windows, then we ought to be given some sort of notification from
    the Mozilla developers. No?

    Why should it matter whether Firefox does email or not? Let them
    send the warning; I'll figure out how to receive it.

    RDL

    ***************************
    Replace + with - for email
     
    RDL, May 15, 2005
    #15
  16. Ron

    Moz Champion Guest

    how does MS advise you of critical vulnerabilities?
    How does Apple?
    How does most manufacturers of software?

    They announce it on a web page.

    Mozilla does the same
     
    Moz Champion, May 17, 2005
    #16
  17. Ron

    RDL Guest

    They send an email. I've been getting them for years, warning of
    vulnerabilities and advising me to download updates.
    Some do, some don't. One very simple and common way of
    communicating with users is the mailing list. I receive emails
    from AT&T Worldnet advising me of phishing scams, new member
    benefits, etc. I've also chosen to be placed on mailing lists
    for several software programs I use. Among other things, they
    notify me when new versions are released. A mailing list is a
    very simple thing to manage, and I'd gladly trust Mozilla with my
    email address.
    Faint praise for a company whose success is based in large part
    on NOT doing things the same way as the others.


    ***************************
    Replace + with - for email
     
    RDL, May 18, 2005
    #17
  18. Ron

    Moz Champion Guest

    As I do with Apple updates as well <g>
    However both those require you to inform the system manufacturer of your
    current email address, and 'sign up' (or at least emphatically choose)
    the update method.

    However, the question is, what does MS do when it doesnt have a 'fix'
    for a critical exploit? Nothing <g> It doesnt advise you of such does it?

    Mozilla products (at least Firefox and Thunderbird) have a software
    update check that will advise you when a new version is available, so
    once the 'fix' is in, you can get that update. The security advisory on
    the webpage gives you current information about the status of exploits
    that have not been fixed.
     
    Moz Champion, May 18, 2005
    #18
  19. Ron

    Tom Betz Guest

    What company?
     
    Tom Betz, May 19, 2005
    #19
  20. Ron

    ric Guest

    Do any of these problems exist with ver 0.9.2 ?? I've been using
    this version for quite some time, problem free. Do I have a big
    reason to upgrade?
     
    ric, May 19, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.