2 Firefox Security Flaws Lead to Exploit Potential

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

And to think...

[oskard]

I JUST got through explaining to my parents why Firefox is a safer alternative.

Bug Details

[Talian]

Before everyone freaks out, take a look at the bug notes to get the details.

Exploitation requires the javascript bug AND a whitelisted site. The only default whitelisted site is the update.mozilla.org, and they have made changes to mitigate the problem on their end.

So unless you've whitelisted a lot of extra sites to install themes or extensions, this is not a huge risk. To be sure, disable install "Allow websites to install software" under options | web features, and if really worried, disable javascript.

Re:Bug Details

[That's+Unpossible!]

eah, I don't really see how this "exploit" is really an exploit at all. If you whitelist a site, that means you can already install an XPI from that site. Extensions can easily to "bad" things of one sort or another (delete bookmarks or hide all the GUI widgets or something). You have to go add a site to the whitelist, it isn't like it can add itself somehow.

RTFA. The site that runs the exploit does not have to be on the site you whitelisted. Part of the exploit is that it can pretend to be a site you whitelisted. The other part is that it can sneak in some javascript code where it shouldn't be able to (an icon url).

Contrary to the grandparent post, it is not enough that mozilla has updated their site. That mitigates only part of the problem, and only if you haven't whitelisted other sites.

Until 1.0.4 comes out, disable javascript.

Re:sorry..

[ViperG]

Well, I would agree, but then why does slashdot post every IE bug that comes up?

Mozilla's Security?

[sterno]

Mozilla and Firefox have been recommended as alternatives to IE for security reasons. Yet, lately, it seems that there's quite a lot of security problems being uncovered in Firefox. So I'm trying to figure out how to read this.

I suspect that Firefox is somewhat more secure on the simple basis that it is not as tightly integrated with the rest of the operating system as IE is. What makes IE exploits so nasty is that they tend to become email and other exploits too.

My concern is that if Firefox gains some more ground and does become a more active target for exploits, that it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.

Re:Mozilla's Security?

[Uruk]

A few points to consider when you're evaluating the security of software:

• Security issue visibility is not the same thing as security. Just because IE has more exploits publicized (or Firefox has more) doesn't actually mean they're more or less secure, it means they're getting more public attention about their security. Important difference. If someone has an objective, quantitative, and verifiable way of measuring a piece of software's security so that we can actually make these comparisons, I'd love to see it
• The more users use a piece of software, the more it will be targeted. But again, that's not the same thing as saying "the more it will be exploited"
• Most users ultimately decide based on personal experience, which typically trumps abstract reporting. Have you ever had a problem with Firefox? Have you ever had a problem with IE? I'd suspect most people who switched to Firefox did it because they actually experienced a problem with IE, not because it was more ideologically pure.

What Firefox needs is...

[turbofisk]

What Firefox (and the rest of the suite) is a good way to upgrade the software, without installing everything as a new user would... This is something they really should fix...

It was expected

[mpontes]

With the spotlight on Firefox, it's obvious a lot more crackers and hackers are going to start looking at Mozilla Foundation's code. While previously there was little incentive for crackers to exploit vulnerabilities in MoFo's code, you can't say that now, with all the attention Firefox caught.

It's up to MoFo to fix their software as soon as vulnerabilities are reported now. The play time is over, from now on it's going to be Browser Wars II: The Security Menace.

Does this affect Mozilla also?

[llzackll]

I'm a Mozilla user. I don't use Firefox. I'm guessing that Mozilla is affected by this as well, but every time a security flaw is found, only Firefox is mentioned.

Solution

[cryptocom]

Tools/Options/Web Features/"Allow web sites to install software" - uncheck it. I don't know why this isn't unchecked by default.