Wednesday, May 11, 2005

Zero-Day Firefox Exploit Sends Mozilla Scrambling

For the fourth time in three months, major security flaws in the upstart Firefox Web browser have pushed volunteers at the Mozilla Foundation into damage-control mode.

Mozilla's public acknowledgement of the vulnerabilities includes a chilling warning that an attacker could combine the flaws to execute malicious code without user interaction.

Firefox users are urged to disable JavaScript immediately as a temporary workaround. Additionally, Mozilla recommends that the browser's software installation feature be disabled. This can be done by unchecking the "Allow web sites to install software" box, which can be found by selecting Options on the Tools menu and then Web Features.

In a public advisory, Sequoia said the problem was detected in the way "IFRAME" JavaScript URLs are protected from being executed in the context of another URL in the history list.

"This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site," Sequoia warned in its advisory.

Additionally, input passed to the "IconURL" parameter in the browser's "InstallTrigger.install()" feature is not properly verified before being used. "This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL," the company said.

By default, only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability allows this to be exploited from any malicious site.

Click the heading to read the full article or visit www.greyhatsecurity.org/firefox.htm