[ISN] Firefox suffers first 'extremely critical' security hole

InfoSec News isn at c4i.org
Tue May 10 03:18:05 EDT 2005


By Matthew Broersma
09 May 2005

Firefox has unpatched "extremely critical" security holes and exploit
code is already circulating on the Net, security researchers have

The two unpatched flaws in the Mozilla browser could allow an attacker
to take control of your system.

A patch is expected shortly, but in the meantime users can protect
themselves by switching off JavaScript. In addition, the Mozilla
Foundation has now made the flaws effectively impossible to exploit by
changes to the server-side download mechanism on the
update.mozilla.org and addons.mozilla.org sites, according to security

The flaws were confidentially reported to the Foundation on 2 May, but
by Saturday details had been leaked and were reported by several
security organisations, including the French Security Incident
Response Team (FrSIRT). Danish security firm Secunia marked the
exploit as "extremely critical", its most serious rating, the first
time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from
Microsoft's Internet Explorer, partly because it is considered less
vulnerable to attacks. However, industry observers have long warned
that the browser is more secure partly because of its relatively small
user base. As Firefox's profile grows, attackers will increasingly
target the browser.

The exploit, discovered by Paul of Greyhats Security Group and Michael
"mikx" Krax, makes use of two separate vulnerabilities. An attacker
could create a malicious page using frames and a JavaScript history
flaw to make software installations appear to be coming from a
"trusted" site. By default, Firefox allows software installations from
update.mozilla.org and addons.mozilla.org, but users can add their own
sites to this whitelist.

The second part of the exploit triggers software installation using an
input verification bug in the "IconURL" parameter in the install
mechanism. The effect is that a user could click on an icon and
trigger the execution of malicious JavaScript code. Because the code
is executed from the browser's user interface, it has the same
privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit
by altering the software installation mechanism on its two whitelisted
sites. However, users may be vulnerable if they have added other sites
to the whitelist, it warned.

"We believe this means that users who have not added any additional
sites to their software installation whitelist are no longer at risk,"  
Mozilla Foundation said in a statement published on Mozillazine.org.

More information about the ISN mailing list