Zero-Day Firefox Exploit Sends Mozilla Scrambling

The open-source Mozilla Foundation rushes out a partial fix for an "extremely critical" Firefox flaw after exploit code leaks onto the Web.

For the fourth time in three months, major security flaws in the upstart Firefox Web browser have pushed volunteers at the Mozilla Foundation into damage-control mode.

The open-source group late Sunday rushed out a partial fix for a pair of "extremely critical" Firefox vulnerabilities after zero-day exploit code leaked onto the Internet and promised a comprehensive patch would be available soon.

Mozillas public acknowledgement of the vulnerabilities includes a chilling warning that an attacker could combine the flaws to execute malicious code without user interaction.

The vulnerabilities have been confirmed in Firefox 1.0.3. The Mozilla Suite is only "partially vulnerable" to the bugs, according to the Foundation.

Firefox users are urged to disable JavaScript immediately as a temporary workaround. Additionally, Mozilla recommends that the browsers software installation feature be disabled. This can be done by unchecking the "Allow web sites to install software" box, which can be found by selecting Options on the Tools menu and then Web Features.

Mozilla also modified the update servers to block a possible attack but made it clear this only provides partial protection. The updates were made to "" and "," the two sites white-listed by default in Firefox. Software installation requests will now be redirected to "" to stop the publicly available exploit code from targeting the two vulnerabilities.

According to security alerts aggregator Sequoia, this is the first Firefox bug to carry an "extremely critical" rating. In a public advisory, Sequoia said the problem was detected in the way "IFRAME" JavaScript URLs are protected from being executed in the context of another URL in the history list.

"This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an arbitrary site," Sequoia warned in its advisory.

Additionally, input passed to the "IconURL" parameter in the browsers "InstallTrigger.install()" feature is not properly verified before being used. "This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL," the company said.

By default, only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability allows this to be exploited from any malicious site.

The flaws and accompanying attack scenario were first discovered by security researchers at the Greyhats Security Group, which published a detailed technical explanation of the exploits. The research firm was quietly working with the Mozilla Foundation to create and deploy a patch but was forced to go public after FrSIRT (French Security Incident Response Team) published the exploit code.

The latest security hiccups follow a rapid batch of patches from Mozilla for Firefox flaws. In late February, Mozilla shipped a major security makeover to provide a temporary workaround for a widely reported IDN (International Domain Name) bug, and to correct two serious flaws that could allow malicious attackers to spoof the source displayed in the "Download Dialog" box or to spoof the content of Web sites.

Two weeks later, Mozilla rolled out Firefox 1.0.3 to correct a serious vulnerability caused by the way GIF files are processed by the browser.

Then, on April 16, another Firefox refresh shipped to correct a JavaScript Engine flaw that put users at risk of information disclosure attacks.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.