Language Selection

English French German Italian Portuguese Spanish

Mozilla Firefox Two Vulnerabilities

Filed under
Security

Classified Extremely critical, two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.

Linkage.

More in Tux Machines

Android Leftovers

Lubuntu 16.10 Beta Out Now with Linux Kernel 4.4 LTS and the Latest LXDE Desktop

As part of today's Ubuntu 16.10 (Yakkety Yak) Beta launch, Simon Quigley from the Lubuntu Linux team released the first Beta build of the upcoming Lubuntu 16.10 operating system. Read more Also: Ubuntu MATE 16.10 (Yakkety Yak) Beta Removes the Heads-Up Display (HUD) Feature Ubuntu GNOME 16.10 Beta 1 Released with GNOME 3.20 and GNOME 3.22 Beta Apps Ubuntu 16.10 "Yakkety Yak" Beta Released, Ubuntu GNOME Has Experimental Wayland

Facebook open sources its computer vision tools