Two Holes Poke Firefox Veneer This time they're deemed 'extremely critical'. Tim Gray
It seems Mozilla's Firefox, the undisputed darling of the alternative
browser set, isn't immune after all to the slings and arrows suffered by
other popular interfaces.
On Saturday the Greyhats Security Group punctured the browser's aura of
invincibility after it released details of two flaws that allow a malicious
site to execute arbitrary code.
The advisory explains that the successful attacks involve two elements. The
first flaw fools the browser into thinking software is being installed by a
"whitelisted site." The second flaw occurs when the software installation
trigger does not sufficiently check icon URLs containing JavaScript code.
Users can protect themselves by temporarily disabling JavaScript,
according to Mozilla.
Less than a week after the foundation trumpeted breaking
the 50 million
download mark, the browser is dealing with what
has been called by Danish security firm Secunia its first "extremely
critical" bug.
The Mozilla Foundation said there are currently no known active exploits
of these vulnerabilities, although a "proof of concept" has been reported.
Greyhats said an attacker can first use frames and a
JavaScript history flaw to make it appear that a software installation is
being triggered from add-ons.update.mozilla.org.
As the JavaScript is executed from the chrome, it has "full chrome
privileges" and can "do anything that the user running Firefox can."
"Mozilla is aggressively working to provide a more comprehensive solution
to these potential vulnerabilities and will provide that solution in a
forthcoming security update," the foundation said on its Web site.
Numerous security outfits agree with the foundation's suggestions of
disabling JavaScript as a workaround.
"We believe this means that users who have not added any additional sites
to their software installation whitelist are no longer at risk," Mozilla
Foundation said in a statement.
