Firefox Critical Flaws Discovered

Ice Czar

Inscrutable
Joined
Jul 8, 2001
Messages
27,174
http://secunia.com/advisories/15292/

Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:

Disable JavaScript.

to that end
noscript.exe (directdownload)
indirect> http://www.sarc.com/avcenter/venc/data/win.script.hosting.html

and or

AnologX script defender
 
I always put those two on everything out of habit, although I never install Windows Script Hosting. I assume that noscript.exe does nothing one way or the other because of that, but it would be nice if AnalogX had a file other than the .vbs file to test the program. The supplied .vbs test file always opens in notebook on my XP machines, and Wormguard always prevents it from opening on Windows 2000 machines. I have never seen either program in action here, although NOD32 and Wormguard have caught exploit attempts from time to time.
 
seems there is an update
http://secunia.com/advisories/15292/
Solution:
1) Disable JavaScript.

2) Disable software installation: Options --> Web Features --> "Allow web sites to install software"

NOTE: A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of vulnerability 1 and 2 to execute arbitrary code in the default settings of Firefox.


https://do-not-add.mozilla.org/
To address security concerns, we have made a number of changes, including temporarily changing the URL for this site. If prompted, please DO NOT add this new URL (do-not-add.mozilla.org) to your Allowed Sites or White List.

which I gather is to address the cross-site scripting attacks

http://www.cgisecurity.com/articles/xss-faq.shtml

"What is Cross Site Scripting?"

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via "cookie theft" are explained in detail below.

"What are the threats of Cross Site Scripting?"

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to "Denial Of Service", and potential "auto-attacking" of hosts if a user simply reads a post on a message board.

http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0311.html
 
sleepkyng said:
someone want to spell this out to me in newb language?

Disable JavaScript.
or verify that the only trusted sites are "update.mozilla.org" and "addons.mozilla.org"

http://www.techworld.com/news/index.cfm?RSS&NewsID=3619

An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.

GJSNeptune said:
Is it just me, or is there a clone of this in Operating Systems?

its just you :p
there nobody here but us chickens
 
Back
Top