Language Selection

English French German Italian Portuguese Spanish

Mozilla Firefox Two Vulnerabilities

Filed under
Security

Classified Extremely critical, two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.

Linkage.

More in Tux Machines

Security Leftovers

  • DNS server attacks begin using BIND software flaw
    Attackers have started exploiting a flaw in the most widely used software for the DNS (Domain Name System), which translates domain names into IP addresses. Last week, a patch was issued for the denial-of-service flaw, which affects all versions of BIND 9, open-source software originally developed by the University of California at Berkeley in the 1980s.
  • Researchers Create First Firmware Worm That Attacks Macs
    The common wisdom when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.

Brocade CEO: Transition To Open Source Will Be Difficult For Cisco

Communications CEO Lloyd Carney said traditional vendors like Cisco will have a tough time adapting to a more software-defined, open source space. That's because traditional vendors like Cisco's revenue streams are tied to closed architectures, Carney said. Read more

Open Source Players Show Dedication To Heightening Security Measures

The Wall Street Journal recently reported that the Core Infrastructure Initiative, a group formed last year after the Heartbleed bug targeted vulnerabilities in OpenSSL encryption software, has invested $500,000 in three new projects aimed at improving the security of open source code. Participants in the Core Infrastructure Initiative include large corporations such as Microsoft, Facebook, and Cisco Systems; it is managed by the nonprofit Linux Foundation. This collaboration demonstrates a desire from both the open source community and technology leaders to preserve free and open standards while continuing to make security a top priority. Read more

ExtremeTech explains: Why you should (or shouldn’t) root your Android device

Android is based on the Linux kernel, so right from the start, tinkerers and power users were interested in gaining root access to make changes and graft on new features. In the early days, this was a fairly simple procedure on most devices. There were several apps and tools that could root almost any Android phone or tablet, and you’d be ready to truly master your device in mere minutes. As Android became more capable, the allure of rooting has diminished somewhat — and it’s also much harder than it used to be. Read more