Firefox Exploit Targets Zero Day Vulns
09-05-2005, 12:50
|
#1
|
|
.
Join Date: Jun 2003
Posts: 6,239
|
Firefox Exploit Targets Zero Day Vulns
Quote:
|
Originally Posted by El Reg
Security researchers have discovered two unpatched vulnerabilities in Firefox, the popular alternative web browser. The security bugs affect even the latest version of Firefox (version 1.0.3) and create a means for attackers to seize control of vulnerable systems using cross-site scripting attacks.
One vulnerability enables arbitrary JavaScript code with escalated privileges to be executed via a specially crafted JavaScript URL. Successful exploitation requires that a site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org"). This would normally drastically reduce the scope for mischief - but for a second security bug, involving "IFRAME" JavaScript URLs, which creates a means to execute arbitrary HTML and script code in the context of an arbitrary site.
|
More Info Here....
|
|
|
|
09-05-2005, 12:51
|
#2
|
|
Google it!!
Join Date: Jun 2003
Location: Essex
Age: 34
Services: Sky Digital + 16Mb ADSL
BT Telephone
Posts: 14,929
|
New FF vulnerability found
0 Day exploit
Quote:
Security researchers have discovered two unpatched vulnerabilities in Firefox, the popular alternative web browser. The security bugs affect even the latest version of Firefox (version 1.0.3) and create a means for attackers to seize control of vulnerable systems using cross-site scripting attacks.
One vulnerability enables arbitrary JavaScript code with escalated privileges to be executed via a specially crafted JavaScript URL. Successful exploitation requires that a site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org"). This would normally drastically reduce the scope for mischief - but for a second security bug, involving "IFRAME" JavaScript URLs, which creates a means to execute arbitrary HTML and script code in the context of an arbitrary site.
A combination of the two vulnerabilities can be exploited to execute arbitrary code on vulnerable systems, according to Danish security firm Secunia. Exploit code is publicly available greatly increasing the chance of attack, it warns. The vulnerabilities - described by Secunia as "extremely critical" - have been confirmed in version 1.0.3 of Firefox. Other versions may also be affected.
Users are advised to disable JavaScript and the software installation option within Firefox pending a more comprehensive fix from the Mozilla Foundation. ®
|
|
|
|
|
|
09-05-2005, 12:53
|
#3
|
|
Google it!!
Join Date: Jun 2003
Location: Essex
Age: 34
Services: Sky Digital + 16Mb ADSL
BT Telephone
Posts: 14,929
|
Re: Firefox Exploit Targets Zero Day Vulns
|
|
|
|
|
09-05-2005, 12:58
|
#4
|
|
.
Join Date: Jun 2003
Posts: 6,239
|
Re: Firefox Exploit Targets Zero Day Vulns
Quote:
|
Originally Posted by Paul
|
And I posted it in the correct forum too..... 
|
|
|
|
|
09-05-2005, 13:01
|
#5
|
|
We are watching...
Join Date: Jun 2003
Location: Swinton
Age: 34
Services: Virgin Media
Posts: 7,802
|
Re: Firefox Exploit Targets Zero Day Vulns
__________________
The road to hell is paved with good intentions
|
|
|
|
|
10-05-2005, 17:30
|
#6
|
|
We are watching...
Join Date: Jun 2003
Location: Swinton
Age: 34
Services: Virgin Media
Posts: 7,802
|
Re: Firefox Exploit Targets Zero Day Vulns
...and a bit more info here
__________________
The road to hell is paved with good intentions
|
|
|
|
|
10-05-2005, 20:14
|
#7
|
|
Google it!!
Join Date: Jun 2003
Location: Essex
Age: 34
Services: Sky Digital + 16Mb ADSL
BT Telephone
Posts: 14,929
|
Re: Firefox Exploit Targets Zero Day Vulns
Already seen reports of 1.0.4 version that is patched against the vulnerability. Wonder when they will release it?
|
|
|
|
|
10-05-2005, 21:29
|
#8
|
|
Karateka
Join Date: Dec 2003
Age: 33
Posts: 7,098
|
Re: Firefox Exploit Targets Zero Day Vulns
I think this could be a good opportunity for demonstrating how quickly a fix can be prepared within the open source community. I'm not surprised there are flaws in Firefox (I would be surprised if there weren't any!), so the key is getting the fixes shipped quickly.
__________________
Quidquid latine dictum sit, altum sonatur.
|
|
|
|
|
11-05-2005, 21:13
|
#9
|
|
Karateka
Join Date: Dec 2003
Age: 33
Posts: 7,098
|
Re: Firefox Exploit Targets Zero Day Vulns
Well, almost 24 hours since my last post, you can now get FF 1.04 from here: http://ftp.mozilla.org/pub/mozilla.o...t-aviary1.0.1/
Alternatively, this will filter through the normal channels over the next few hours, so you'll be able to upgrade from getfirefox.com soon too.
__________________
Quidquid latine dictum sit, altum sonatur.
|
|
|
|
|
11-05-2005, 21:20
|
#10
|
|
We are watching...
Join Date: Jun 2003
Location: Swinton
Age: 34
Services: Virgin Media
Posts: 7,802
|
Re: Firefox Exploit Targets Zero Day Vulns
Quote:
|
Originally Posted by Gareth
Well, almost 24 hours since my last post, you can now get FF 1.04 from here: http://ftp.mozilla.org/pub/mozilla.o...t-aviary1.0.1/
Alternatively, this will filter through the normal channels over the next few hours, so you'll be able to upgrade from getfirefox.com soon too. |
Those are release candidates that are available. 
__________________
The road to hell is paved with good intentions
|
|
|
|
|
11-05-2005, 21:51
|
#11
|
|
cf.mega poster
Join Date: Jun 2003
Age: 29
Posts: 6,273
|
Re: Firefox Exploit Targets Zero Day Vulns
Yet another example of how Firefox is better, security wise.
Not one IT professional I know runs IE.
|
|
|
|
|
11-05-2005, 22:10
|
#12
|
|
Karateka
Join Date: Dec 2003
Age: 33
Posts: 7,098
|
Re: Firefox Exploit Targets Zero Day Vulns
Quote:
|
Originally Posted by Mal
Those are release candidates that are available. |
Heh, yeah... forgot to mention that. Best wait if you don't like installing RC's
__________________
Quidquid latine dictum sit, altum sonatur.
|
|
|
|
|
12-05-2005, 07:18
|
#13
|
|
Google it!!
Join Date: Jun 2003
Location: Essex
Age: 34
Services: Sky Digital + 16Mb ADSL
BT Telephone
Posts: 14,929
|
Re: Firefox Exploit Targets Zero Day Vulns
|
|
|
|
|
12-05-2005, 09:30
|
#14
|
|
Google it!!
Join Date: Jun 2003
Location: Essex
Age: 34
Services: Sky Digital + 16Mb ADSL
BT Telephone
Posts: 14,929
|
Re: Firefox Exploit Targets Zero Day Vulns
|
|
|
|
|
12-05-2005, 10:34
|
#15
|
|
cf.mega poster
Join Date: Jun 2003
Age: 29
Posts: 6,273
|
Re: Firefox Exploit Targets Zero Day Vulns
Kinda unrelated but I found this comment in the Firefox source code:
Quote:
// C++ sucks! There's no way to do this with a macro, at least not
// that I know, if you know how to do this with a macro then please do
// so...
static const PRUnichar sHTMLTagUnicodeName_a[] =
{'a', '\0'};
static const PRUnichar sHTMLTagUnicodeName_abbr[] =
{'a', 'b', 'b', 'r', '\0'};
static const PRUnichar sHTMLTagUnicodeName_acronym[] =
{'a', 'c', 'r', 'o', 'n', 'y', 'm', '\0'};
|
It then goes on to list hundreds more HTML tags. 
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +1. The time now is 19:54.
|
Join CF
You are here: 
