Firefox users ! Beware of a UNPATCHED , UNSOLVED vulnerability which affects firefox browsers (1.0.3) !
There are two exact vulnerabilitys and this would allow an attacker to conduct Cross Side-Scripting attacks and compromise your system.
The first one is a problem with the IFRAME Javascript URLs which are being executed in relation to another URL in the history list. Through this the attacker could exploit to execute his/her malicious code !
The second is the fact that the IconURL param in "InstallTrigger.install()" is not properly verified. This is particularly useful for an attacker to execute privilege escalation attacks , simply through a specially crafted URL !
Solution ?
Well , the easiest solution at this point in time, would be to disable Javascript, or disable the "Allow web sites to install software" option > Tools > Options > Web Features.
Example of exploit code - Only Proof of Concept !
posted by Srimadhava @ 5:15 PM
3 Comments:
Good find!
Although I am happy to use Firefox at home for its feature set, I've never been under any illusions that it somehow would never need security updates, as some its more enthusiastic supporters have implied.
As Firefox gains in market share, it will undoubtably become a tempting target for malware.
Definitely sure abt that..
IE 6.x has had 80 advisories, of which 34 advisories were extremely critical, and 3 critical advisories are still unpatched after several months.
Firefox 1.x has had 16 advisories, of which 3 advisories were extremely critical, and only 1 critical advisory is still unpatched, but it's only been in that state for a few days, and a patch is on its way.
Well at least i hope..
At this point the odds with Firefox seems to be better.. but hey who knows... in the future..
Firefox might beat IE at security holes ! ;)
Having said that.. i have to still say the Mozilla foundation is doing a great job !
Kudos guys !
Post a Comment
<< Home