Language Selection

English French German Italian Portuguese Spanish

Mozilla Firefox Two Vulnerabilities

Filed under
Security

Classified Extremely critical, two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.

Linkage.

More in Tux Machines

World’s smallest i.MX6 module has onboard WiFi, eMMC

Variscite unveiled a 50 x 20mm “DART-MX6″ module that runs Linux or Android on the Freescale i.MX6, with up to 64GB eMMC flash and -40 to 85°C support. Variscite’s claim that the 50 x 20mm DART-MX6 is the world’s smallest computer-on-module based on Freescale’s i.MX6 system-on-chip appears to be a valid one. It beats the smallest ones we’ve seen to date: TechNexion’s 40 x 36mm PICO-IMX6, and Solid-Run’s 47 x 30mm microSOM i4. It’s also just a hair larger than Variscite’s own 52 x 17mm DART-4460, which is based on a dual-core TI OMAP4460 SoC, and Gumstix’s slightly larger 58 x 17mm Overo modules, which use TI Sitara AM37xx SoCs. Read more

BQ Aquaris E4.5 Ubuntu Edition review

The BQ Aquaris e4.5 Ubuntu Edition is not the debut Canonical must have envisaged for Ubuntu Phone, in the early days of the platform’s development. It’s a perfectly functional smartphone for the most part, and we like the concept of scopes, but the hardware is humdrum, performance is sluggish, and the software running on it is rough and ready, and full of holes. We’ll be tracking the progress of Ubuntu Phone with interest – it surely must get better than this – but this first device is one to write off to experience. Read more