Topic: Two more Mozilla/Firefox vulnerabilities. (Read 2258 times)

Javora · « **on:** May 09, 2005, 06:57:29 pm »

Just saw this over at ZD Net, looks like two "extremely critical" flaws in Firefox has been found. You can read about them here:

http://news.zdnet.com/2100-1009_22-5700204.html

Hopefully a new patch... or new version of Firefox will be out soon that will fix these problems.

Nemesis · « **Reply #1 on:** May 09, 2005, 08:44:58 pm »

There are two work arounds.

1/ Disable javascript.

2/ Don't allow sites to install software. Disable by making menu choices below:

Tools ->Options -> unclick Allow websites to install software

Either works. I had already done 2/.

Quote

Update: The Mozilla Foundation has posted a Security Alert. It reads: "The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a 'proof of concept' has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript."

toasty0 · « **Reply #2 on:** May 10, 2005, 09:58:51 am »

My goodness I thought this was fixed in this version ( 1.03). WTF is going on here?!

Then telling folks to turn off javascript in their browser--the most or second most used scripting language on the net--to solve something that was supposed to be fixed in this version sounds like the type of advice given by Microsoft of the past. This does not look like a step forward.

Thank you for letting me rant.

Jerry

Javora · « **Reply #3 on:** May 10, 2005, 02:22:32 pm »

Yeah most of the buttons on this page doesn't work because I turned off Java. I do hope they come out with a new patch soon this is kind of a pain. Actually I think this is a testimony as to how much I like tabbed browsing.

Nemesis · « **Reply #4 on:** May 10, 2005, 08:42:33 pm »

Quote from: Javora on May 10, 2005, 02:22:32 pm

Yeah most of the buttons on this page doesn't work because I turned off Java. I do hope they come out with a new patch soon this is kind of a pain. Actually I think this is a testimony as to how much I like tabbed browsing.

Then instead of turning off javascript use option 2/

2/ Don't allow sites to install software. Disable by making menu choices below:

Tools ->Options -> unclick Allow websites to install software

You don't need to do both, either one will do.

In fact unless you enabled sites not preconfigured by Mozilla to perform software downloads the bug can't hit you now anyhow. Mozilla disabled the authorized sites (which were their own). Now attempts to activate the bug fail because the actual site linkage cannot be made, unless of course you have other authorized sites that you have added yourself.

Release candidates for V1.04 are in testing to fix this bug.

Quote from: toasty0 on May 10, 2005, 09:58:51 am

My goodness I thought this was fixed in this version ( 1.03). WTF is going on here?!

Thank you for letting me rant.

Jerry

Feel free to rant toasty. But do answer one question for me.

Here is the list of bugs reported fixed in 1.03

Quote

Fixed in Firefox 1.0.3
MFSA 2005-33 Javascript "lambda" replace exposes memory contents
MFSA 2005-34 javascript: PLUGINSPAGE code execution
MFSA 2005-35 Showing blocked javascript: popup uses wrong privilege context
MFSA 2005-36 Cross-site scripting through global scope pollution
MFSA 2005-37 Code execution through javascript: favicons
MFSA 2005-38 Search plugin cross-site scripting
MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II
MFSA 2005-40 Missing Install object instance checks
MFSA 2005-41 Privilege escalation via DOM property overrides

Which one(s) do you think was not actually fixed and caused the current issue? I can't seem to spot it (them).

To help you out here are the description of the current bugs from Secunia

Quote

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Darth Sidious · « **Reply #5 on:** May 12, 2005, 09:05:46 am »

Firefox 1.0.4 released. check the usual suspects for links.

Nemesis · « **Reply #6 on:** May 12, 2005, 08:12:50 pm »

Link to Firefox 1.04 download

Quote

Fixed in Firefox 1.0.4
MFSA 2005-44 Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL

jualdeaux · « **Reply #7 on:** May 12, 2005, 08:46:32 pm »

WOW. I'd sure like to see MS release fixes for IE that fast.

News: