|
Home > Archive > Mozilla Browser > May 2005 > Mozilla Firefox Two Vulnerabilities Extremely critical ( Release
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Mozilla Firefox Two Vulnerabilities Extremely critical ( Release
|
|
|
| Here is the site for complete information
http://secunia.com/advisories/15292/
Mozilla Firefox Two Vulnerabilities
Secunia Advisory: SA15292 Print Advisory
Release Date: 2005-05-08
Critical:
Extremely critical
Impact: Cross Site Scripting
System access
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 1.x
Select a product and view a complete list of all Patched/Unpatched
Secunia advisories affecting it.
Description:
Two vulnerabilities have been discovered in Firefox, which can be
exploited by malicious people to conduct cross-site scripting attacks
and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly
protected from being executed in context of another URL in the history
list. This can be exploited to execute arbitrary HTML and script code in
a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()"
is not properly verified before being used. This can be exploited to
execute arbitrary JavaScript code with escalated privileges via a
specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install
software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute
arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions
may also be affected.
Solution:
Disable JavaScript.
Provided and/or discovered by:
john smith
Ron...
| |
| Moz Champion 2005-05-12, 2:45 am |
| Nate Goulet wrote:
> Is it really necessary to disable Javascript?
>
> The article on Yahoo stated the following:
>
> "Mozilla Foundation said it has protected most users from the exploit
> by altering the software installation mechanism on its two whitelisted
> sites. However, users may be vulnerable if they have added other sites
> to the whitelist, it warned."
>
> I take that to mean that as long as you didn't change your default
> settings from FireFox's Web Features / Allow web sites to install
> software area, there is no reason to disable Javascript.
>
> Did I understand that correctly?
>
> Thanks.
Personally, while the exploint has been proven as possible, it takes a
website with malicious javascript to pull it off. How long do you think
such a site would survive? About as long as it took to email its
webhost or ISP <g>
You can turn off the allow websites to install software, which protects
you against the most damageing aspect (loading arbritrary code). That
still leaves an opening for a javascript to read some details of your
computer, but again, any such site that would try such a thing simply
wouldnt last too long <g>
You understand it as I do <g>
The fix is already in the next version (upcoming)
| |
| Moz Champion 2005-05-12, 2:45 am |
| Pete wrote:
> OK, I disabled JavaScript.
> Let us know when it's safe to enable.
> -Pete
>
>
How about now? <g>
yep, the exploit is possible, but just how long do you think a website
that took advantage of this would last? About as long as it takes to
email its webhost or ISP!
If you want to err on the side of caution, sure leave javascript
disabled. Personally, I dont believe that anyone will have the temerity
to actually launch an malicioous exploit using this. Most 'exploits'
are never taken advantage of, once the 'fix' is 'in' or becoming available.
the next release version will contain the fix
| |
| Moz Champion 2005-05-12, 2:45 am |
| Pete wrote:
> "t800" <t800@skynet.spambe> wrote in message
> news:Xns965298D5DE78Bt800skynetspambe@19
5.238.0.34...
>
>
> Do you have to also disable "jave?"
> -Pete
>
>
NO
| |
| Moz Champion 2005-05-12, 2:45 am |
| Reg Mouatt wrote:
> On Tue, 10 May 2005 10:49:59 -0400, "Pete" <Pete@nospam.com> wrote:
>
>
>
>
>
> Hi,
> Not sure if this throws any more light on the matter but it does
> recommend disabling both Java and allowing web sites to install
> software.
>
> http://www.eweek.com/article2/0,1759,1814056,00.asp
>
> Reg
>
Reg
Thats incorrect.
its says to disable Javascript and allowing web sites to install software
Javascript is not Java
| |
| Hendrik Maryns 2005-05-12, 5:45 pm |
| Moz Champion uitte de volgende tekst op 12/05/2005 4:54:
> Nate Goulet wrote:
>
>
>
> Personally, while the exploint has been proven as possible, it takes a
> website with malicious javascript to pull it off. How long do you think
> such a site would survive? About as long as it took to email its
> webhost or ISP <g>
Yes, but I think you forget about all those people that can't
distinguish google from 'the server'. I'm sure you would be fast enough
to email the ISP, but I don't think I would recognise a malicious website...
And how difficult is it to copy this malicious javascript to millions of
website that only differ by one letter in their name, setting up your
own server, and sending around some million "penis enlargement" emails
that make you click a link to one of those sites...?
0.02c
H.
--
Hendrik Maryns
Interesting websites:
www.lieverleven.be (I cooperate)
www.eu04.com European Referendum Campaign
aouw.org The Art Of Urban Warfare
| |
| Moz Champion 2005-05-14, 1:03 pm |
| RDL wrote:
> Does Mozilla have an email system for notifying users of critical
> vulnerabilities?
>
> ***************************
> Replace + with - for email
No.
When you download a Mozilla product you are not required to submit an
email address
and not all Mozilla products even DO email! Firefox for example
To keep abreast of developments, go to http://www.mozilla.org/ and
read the announcements or security advisories
| |
| Moz Champion 2005-05-17, 5:46 pm |
| RDL wrote:
> Moz Champion <moz.champion@sympatico.ca> wrote:
>
>
>
>
> If users of Firefox and other Mozilla products are going to be
> facing the same sorts of critical vulnerabilities as with
> Windows, then we ought to be given some sort of notification from
> the Mozilla developers. No?
>
> Why should it matter whether Firefox does email or not? Let them
> send the warning; I'll figure out how to receive it.
>
> RDL
>
> ***************************
> Replace + with - for email
how does MS advise you of critical vulnerabilities?
How does Apple?
How does most manufacturers of software?
They announce it on a web page.
Mozilla does the same
| |
| Ed Mullen 2005-05-17, 5:46 pm |
| Moz Champion wrote:
> RDL wrote:
>
>
>
> how does MS advise you of critical vulnerabilities?
> How does Apple?
> How does most manufacturers of software?
>
> They announce it on a web page.
>
> Mozilla does the same
Actually, because I want and allow it to, MS Windows Update
automatically checks for and downloads updates and prompts me to install
them. I never go to a Web site. It never even opens IE. (Yeah, yeah,
you MS paranoiacs, I know it's using the explorer process. Sheesh, stop
before you get started again, ok? :-P )
--
Ed Mullen
http://edmullen.net
http://edmullen.net/Mozilla/moz.html
I'd rather be in Biscuit City with my banjo in my hands - Gordon Lightfoot
| |
| Moz Champion 2005-05-18, 2:46 am |
| Ed Mullen wrote:
> Moz Champion wrote:
>
>
>
> Actually, because I want and allow it to, MS Windows Update
> automatically checks for and downloads updates and prompts me to install
> them. I never go to a Web site. It never even opens IE. (Yeah, yeah,
> you MS paranoiacs, I know it's using the explorer process. Sheesh, stop
> before you get started again, ok? :-P )
>
As I do with Apple updates as well <g>
However both those require you to inform the system manufacturer of your
current email address, and 'sign up' (or at least emphatically choose)
the update method.
However, the question is, what does MS do when it doesnt have a 'fix'
for a critical exploit? Nothing <g> It doesnt advise you of such does it?
Mozilla products (at least Firefox and Thunderbird) have a software
update check that will advise you when a new version is available, so
once the 'fix' is in, you can get that update. The security advisory on
the webpage gives you current information about the status of exploits
that have not been fixed.
| |
| Ed Mullen 2005-05-22, 5:45 pm |
| RDL wrote:
> Tom Betz <spammers_lie@pobox.com> wrote:
>
>
>
>
> Sorry for the semantic faux pas (actually, the correct
> designation is "501(c)3 non-profit corporation"). But I meant no
> disrespect to the good folks at Mozilla.
>
> My original question asked whether Mozilla had a system for
> directly notifying users of critical vulnerabilities, and if not,
> why not? The answer seems to be that they don't, and that
> there's no reason for them to provide that service since it's not
> standard industry practice. It looks like my only choices are to
> visit their web site once a day or lurk here waiting for an
> alarmed mozilla fan to broadcast a warning. What a waste of
> time!
>
> ***************************
> Replace + with - for email
Since I'm on many groups all day every day I don't have the same
need/situation as you and I can't vouch for how timely it is. but you
may want to check out:
http://www.mozilla.org/community/de...#topical-forums
and look at subscribing to the "Announce" list. Just bookmark the page
and if you don't find it useful aftoer a month or so you can always
unsubscribe.
--
Ed Mullen
http://edmullen.net
http://edmullen.net/Mozilla/moz.html
Marriage changes passion. Suddenly you're in bed with a relative.
|
|
|
|
|