Topic: Two more Mozilla/Firefox vulnerabilities.  (Read 2264 times)

0 Members and 1 Guest are viewing this topic.

Offline Javora

  • America for Americans first.
  • Commander
  • *
  • Posts: 3002
  • Gender: Male
Two more Mozilla/Firefox vulnerabilities.
« on: May 09, 2005, 06:57:29 pm »
Just saw this over at ZD Net, looks like two "extremely critical" flaws in Firefox has been found.  You can read about them here:

http://news.zdnet.com/2100-1009_22-5700204.html

Hopefully a new patch... or new version of Firefox will be out soon that will fix these problems.

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: Two more Mozilla/Firefox vulnerabilities.
« Reply #1 on: May 09, 2005, 08:44:58 pm »
There are two work arounds.

1/ Disable javascript. 

2/ Don't allow sites to install software.  Disable by making menu choices below:

        Tools ->Options -> unclick Allow websites to install software

Either works.  I had already done 2/. 

Quote
Update: The Mozilla Foundation has posted a Security Alert. It reads: "The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a 'proof of concept' has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript."
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Re: Two more Mozilla/Firefox vulnerabilities.
« Reply #2 on: May 10, 2005, 09:58:51 am »
My goodness I thought this was fixed in this version ( 1.03). WTF is going on here?!

Then telling folks to turn off javascript in their browser--the most or second most used scripting language on the net--to solve something that was supposed to be fixed in this version sounds like the type of advice given by Microsoft of the past. This does not look like a step forward.

Thank you for letting me rant.

Jerry
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline Javora

  • America for Americans first.
  • Commander
  • *
  • Posts: 3002
  • Gender: Male
Re: Two more Mozilla/Firefox vulnerabilities.
« Reply #3 on: May 10, 2005, 02:22:32 pm »
Yeah most of the buttons on this page doesn't work because I turned off Java.  I do hope they come out with a new patch soon this is kind of a pain.  Actually I think this is a testimony as to how much I like tabbed browsing.   ;D

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: Two more Mozilla/Firefox vulnerabilities.
« Reply #4 on: May 10, 2005, 08:42:33 pm »
Yeah most of the buttons on this page doesn't work because I turned off Java.  I do hope they come out with a new patch soon this is kind of a pain.  Actually I think this is a testimony as to how much I like tabbed browsing.   ;D

Then instead of turning off javascript use option 2/

2/ Don't allow sites to install software.  Disable by making menu choices below:

        Tools ->Options -> unclick Allow websites to install software

You don't need to do both, either one will do. 

In fact unless you enabled sites not preconfigured by Mozilla to perform software downloads the bug can't hit you now anyhow.  Mozilla disabled the authorized sites (which were their own).  Now attempts to activate the bug fail because the actual site linkage cannot be made, unless of course you have other authorized sites that you have added yourself.

Release candidates for V1.04 are in testing to fix this bug. 

My goodness I thought this was fixed in this version ( 1.03). WTF is going on here?!

Thank you for letting me rant.

Jerry

Feel free to rant toasty.  But do answer one question for me.

Here is the list of bugs reported fixed in 1.03

Quote
Fixed in Firefox 1.0.3
MFSA 2005-33 Javascript "lambda" replace exposes memory contents
MFSA 2005-34 javascript: PLUGINSPAGE code execution
MFSA 2005-35 Showing blocked javascript: popup uses wrong privilege context
MFSA 2005-36 Cross-site scripting through global scope pollution
MFSA 2005-37 Code execution through javascript: favicons
MFSA 2005-38 Search plugin cross-site scripting
MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II
MFSA 2005-40 Missing Install object instance checks
MFSA 2005-41 Privilege escalation via DOM property overrides

Which one(s) do you think was not actually fixed and caused the current issue?  I can't seem to spot it (them).

To help you out here are the description of the current bugs from Secunia

Quote
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline Darth Sidious

  • Lt.
  • *
  • Posts: 598
  • One Winged Angel
Re: Two more Mozilla/Firefox vulnerabilities.
« Reply #5 on: May 12, 2005, 09:05:46 am »
Firefox 1.0.4 released.  check the usual suspects for links.

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: Two more Mozilla/Firefox vulnerabilities.
« Reply #6 on: May 12, 2005, 08:12:50 pm »
Link to Firefox 1.04 download

Quote
Fixed in Firefox 1.0.4
MFSA 2005-44 Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline jualdeaux

  • The Quiet One
  • Global Moderator
  • Commander
  • *
  • Posts: 2758
Re: Two more Mozilla/Firefox vulnerabilities.
« Reply #7 on: May 12, 2005, 08:46:32 pm »
WOW. I'd sure like to see MS release fixes for IE that fast. ;)
Only in America .....do we use the word 'politics' to describe the process so well: 'Poli' in Latin meaning 'many' and 'tics' meaning 'bloodsucking creatures'.