Firefox Vulnerable to Malicious Code Writers
By Jennifer LeClaire
LinuxInsider
"It's a non-issue whether or not Microsoft is a larger target than
Mozilla," said Jupiter Research analyst Joe Wilcox. "The point isn't
why your city is getting bombed instead of someone else's. It's what
do you do about your city getting bombed."
Sanity while working in Windows: MKS Toolkit products enable you to
preserve your investments in UNIX/Linux software. Click here to learn
more.
Security firm Secunia is reporting two "extremely critical" flaws in
Mozilla's Firefox. The vulnerabilities can be exploited by malicious
people who wish to take control of victims' computers.
The Mozilla Foundation is aware of the two flaws. The organization
said there are currently no known active exploits of these
vulnerabilities, although a "proof of concept" has been
reported. Mozilla said changes to its update Web service have been
made to mitigate the risk of an exploit.
"Mozilla is aggressively working to provide a more comprehensive
solution to these potential vulnerabilities and will provide that
solution in a forthcoming security update," said Mozilla executives in
a security alert.
Unprotected, Unverified
The first problem is that "IFRAME" JavaScript URLs are not properly
protected from being executed in context of another URL in the history
list, Secunia said. This can be exploited to execute arbitrary HTML
and script code in a user's browser session.
The second problem is input passed to the "IconURL" parameter in
"InstallTrigger.install()" is not properly verified before being used.
Secunia said this can be exploited to execute arbitrary JavaScript
code with escalated privileges via a specially crafted JavaScript
URL. Successful exploitation requires that the site is allowed to
install software.
Bombs are Falling
Jupiter Research analyst Joe Wilcox told LinuxInsider that there will
always be flaws in software, and arguments about why hackers target
certain browsers are ongoing all the time. The true test is how
effectively open source responds to the threats compared to its
commercial counterparts.
"It's a non-issue whether or not Microsoft is a larger target than
Mozilla," Wilcox said. "The point isn't why your city is getting
bombed instead of someone else's. It's what do you do about your city
getting bombed. During World War II, Winston Churchill could have
talked about how London was a bigger target than New York City. But
what would such an argument have meant to Londoners during blackouts?"
A Temporary Fix
Secunia also said a combination of the two vulnerabilities could be
exploited to execute arbitrary code. The firm also claims that the
exploit code is publicly available. The vulnerabilities have been
confirmed in version 1.0.3. Other versions may also be affected.
A temporary fix has been added to the sites "update.mozilla.org" and
"addons.mozilla.org." Mozilla said users can further protect
themselves by disabling JavaScript.
With the bombs falling on Firefox and the anticipation surrounding
Microsoft's Longhorn beta release this summer, some have wondered
whether the popular open-source browser could lose its momentum.
Wilcox doesn't think so. "There are plenty of people using Internet
Explorer despite security flaws," he said. "So if you use that as a
metaphor for Firefox, then the increase of the flaws may not have an
immediate impact."
Copyright 2005 ECT News Network, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.