Software

Firefox Vulnerable to Malicious Code Writers

Security firm Secunia is reporting two “extremely critical” flaws in Mozilla’s Firefox. The vulnerabilities can be exploited by malicious people who wish to take control of victims’ computers.

The Mozilla Foundation is aware of the two flaws. The organization said there are currently no known active exploits of these vulnerabilities, although a “proof of concept” has been reported. Mozilla said changes to its update Web service have been made to mitigate the risk of an exploit.

“Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update,” said Mozilla executives in a security alert.

Unprotected, Unverified

The first problem is that “IFRAME” JavaScript URLs are not properly protected from being executed in context of another URL in the history list, Secunia said. This can be exploited to execute arbitrary HTML and script code in a user’s browser session.

The second problem is input passed to the “IconURL” parameter in “InstallTrigger.install()” is not properly verified before being used. Secunia said this can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL. Successful exploitation requires that the site is allowed to install software.

Bombs are Falling

Jupiter Research analyst Joe Wilcox told LinuxInsider that there will always be flaws in software, and arguments about why hackers target certain browsers are ongoing all the time. The true test is how effectively open source responds to the threats compared to its commercial counterparts.

“It’s a non-issue whether or not Microsoft is a larger target than Mozilla,” Wilcox said. “The point isn’t why your city is getting bombed instead of someone else’s. It’s what do you do about your city getting bombed. During World War II, Winston Churchill could have talked about how London was a bigger target than New York City. But what would such an argument have meant to Londoners during blackouts?”

A Temporary Fix

Secunia also said a combination of the two vulnerabilities could be exploited to execute arbitrary code. The firm also claims that the exploit code is publicly available. The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

A temporary fix has been added to the sites “update.mozilla.org” and “addons.mozilla.org.” Mozilla said users can further protect themselves by disabling JavaScript.

With the bombs falling on Firefox and the anticipation surrounding Microsoft’s Longhorn beta release this summer, some have wondered whether the popular open-source browser could lose its momentum.

Wilcox doesn’t think so. “There are plenty of people using Internet Explorer despite security flaws,” he said. “So if you use that as a metaphor for Firefox, then theincrease of the flaws may not have an immediate impact.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels