# Firefox Flaw



## VirginiaHuguenot (May 9, 2005)

Critical Flaw Found in Firefox Matthew Broersma, Techworld.com 

Mon May 9, 2005

Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.

The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

Two Vulnerabilities Found
The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.


----------



## 4ndr3w (May 10, 2005)

Here's [another] article on this:

May 09, Secunia - Two vulnerabilities in Mozilla Firefox. Two
vulnerabilities have been discovered in Firefox, which can be exploited by
malicious people to conduct cross-site scripting attacks and compromise a
user's system. "IFRAME" JavaScript URLs are not properly protected from
being executed in context of another URL in the history list. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an arbitrary site. Input passed to the "IconURL"
parameter in "InstallTrigger.install()" is not properly verified before
being used. This can be exploited to execute arbitrary JavaScript code with
escalated privileges via a specially crafted JavaScript URL. A temporary
solution has been added to the sites "update.mozilla.org" and
"addons.mozilla.org" where requests are redirected to
"do-not-add.mozilla.org". This will stop the publicly available exploit code
using the two vulnerabilities to execute arbitrary code in the default
settings of Firefox. Source: http://secunia.com/advisories/15292/

[Edited on 5-10-2005 by 4ndr3w]


----------



## daveb (May 10, 2005)

Official statement advising how to stop the vulnerability:

http://www.mozilla.org/security/announce/mfsa2005-42.html

Expect an update soon.


----------



## daveb (May 12, 2005)

Firefox 1.0.4 has been released fixing this vulnerability.

Get it here: http://www.mozilla.org/


----------



## 4ndr3w (May 18, 2005)

May 16, SecurityFocus - Mozilla Suite and Firefox multiple script manager
security bypass vulnerabilities. Multiple issues exist in Mozilla Suite and
Firefox. These issues allow attackers to bypass security checks in the
script security manager. These vulnerabilities allow remote attackers to
execute script code with elevated privileges, leading to the installation
and execution of malicious applications on an affected computer. Cross-site
scripting, and other attacks are also likely possible. Original advisory and
updates: http://www.mozilla.org/projects/security/known-vulnerabilities.html
Source: http://www.securityfocus.com/bid/13641/discussion/

May 16, SecurityFocus - Mozilla Suite and Firefox DOM property overrides
code execution vulnerability. Mozilla Suite and Mozilla Firefox are affected
by a code execution vulnerability. This issue is due to a failure in the
application to properly verify Document Object Model (DOM) property values.
An access validation error the attacker may leverage this issue to execute
arbitrary code with the privileges of the user that activated the vulnerable
Web browser, ultimately facilitating a compromise of the affected computer.
Original advisory and updates:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
Source: http://www.securityfocus.com/bid/13645/info/


----------

