Slashdot Mirror

← Back to Stories (view on slashdot.org)

2 Firefox Security Flaws Lead to Exploit Potential

Posted by timothy on from the live-dangerously dept.

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

3 of 417 comments (clear)

  1. Bug Details by Talian · · Score: 5, Informative

    Before everyone freaks out, take a look at the bug notes to get the details.

    Exploitation requires the javascript bug AND a whitelisted site. The only default whitelisted site is the update.mozilla.org, and they have made changes to mitigate the problem on their end.

    So unless you've whitelisted a lot of extra sites to install themes or extensions, this is not a huge risk. To be sure, disable install "Allow websites to install software" under options | web features, and if really worried, disable javascript.

    1. Re:Bug Details by That's+Unpossible! · · Score: 5, Informative

      eah, I don't really see how this "exploit" is really an exploit at all. If you whitelist a site, that means you can already install an XPI from that site. Extensions can easily to "bad" things of one sort or another (delete bookmarks or hide all the GUI widgets or something). You have to go add a site to the whitelist, it isn't like it can add itself somehow.

      RTFA. The site that runs the exploit does not have to be on the site you whitelisted. Part of the exploit is that it can pretend to be a site you whitelisted. The other part is that it can sneak in some javascript code where it shouldn't be able to (an icon url).

      Contrary to the grandparent post, it is not enough that mozilla has updated their site. That mitigates only part of the problem, and only if you haven't whitelisted other sites.

      Until 1.0.4 comes out, disable javascript.

      --
      Ironically, the word ironically is often used incorrectly.
  2. Solution by cryptocom · · Score: 5, Informative

    Tools/Options/Web Features/"Allow web sites to install software" - uncheck it. I don't know why this isn't unchecked by default.

    --
    It takes just a moment and an action to destroy. It takes some time and thought to create.