More firefox trouble
What is particularly unusual about this disclosure is that it came not from the person who discovered the vulnerability, but from a third party who became privy to discussions about the vulnerability. While one might hope that the ethics of vulnerability disclosure would preclude "outing" a security vulnerability, particularly one discovered by another party, prior to the public release of a fix when it's known the vendor or project is actively working on the issue, the cat is out of the bag now.
The first vulnerability relates to "IFRAME" JavaScript URLs, which can allow an attacker to execute arbitrary code in a user's session. Alone, it could allow malicious sites to steal information from sites previously visited. The second vulnerability is in the "IconURL" parameter in "InstallTrigger.install()", which is not properly verified. This can be exploited to run JavaScript with the escalated privileges of a "Chrome script." The combination of both vulnerabilities can actually allow whitelisted sites, or sites masquerading as a whitelisted site, to take any action of the user, including administrative actions if the user has admin privileges. (This is one of the reasons why users should not make a habit of running as root.)
By default, the Mozilla Update websites were on the Firefox whitelist. The Mozilla Foundation has applied a server-side change to prevent attackers from using those sites. However, users who have added other sites to their whitelist may be at risk on those sites -- though an attacker would need to be able to guess what site a user has whitelisted.
We talked to Chris Hofmann, Mozilla's director of engineering, about the
most recent vulnerabilities and Mozilla's security record in
general. According to Hofmann, the vulnerability is cross-platform and
could potentially affect users of Firefox 1.0.3 on any platform. Hofmann
said that the Mozilla Foundation was not aware of any exploits in the wild,
and that the premature disclosure of the vulnerability was "a pretty
rare exception
".
We also asked Hofmann if he thought it would be possible to catch all of these vulnerabilities at some point in the future. In short, it looks like the answer is pretty much "no," given the complexity of a Web browser and the nature of the interfaces between components where it is not completely understood how they interact.
At this time, there is not a final Firefox 1.0.4 release, but there are candidate
builds available with security fixes and a fix for a DHTML regression
in 1.0.3. At a minimum, users should disable software installation until
1.0.4 is available.
| Index entries for this article | |
|---|---|
| GuestArticles | Brockmeier, Joe |
Posted May 12, 2005 10:12 UTC (Thu)
by eru (subscriber, #2753)
[Link] (1 responses)
By the way, does anyone know if the bugs affected Mozilla "Classic" as well?
Posted May 12, 2005 14:56 UTC (Thu)
by alspnost (guest, #2763)
[Link]
Posted May 16, 2005 2:25 UTC (Mon)
by apollock (subscriber, #14629)
[Link]
If so, it's no wonder some nefarious person went "ooh, look a new vulnerability bug report" and made off with it to do all sorts of unpleasant things.
We've seen similar problems with Linux kernel commits as well.
When all development is done in the public eye, you are going to have this problem. I'm not saying public development is a bad thing, but this sort of behaviour is a negative side-effect of it and needs to be handled accordingly.
There is now offical fix at
http://www.mozilla.org/products/firefox/releases/1.0.4.html
More firefox trouble
Yes, they do - and Mozilla 1.7.8 has been released to address them!More firefox trouble
I guess what I'm trying to get a handle on is was https://bugzilla.mozilla.org/show_bug.cgi?id=292691 publically accessible after it was first submitted? It doesn't seem to be now.More firefox trouble