Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity
    • Networking

    Zero-Day Firefox Exploit Sends Mozilla Scrambling

    Written by

    Ryan Naraine
    Published May 9, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      For the fourth time in three months, major security flaws in the upstart Firefox Web browser have pushed volunteers at the Mozilla Foundation into damage-control mode.

      The open-source group late Sunday rushed out a partial fix for a pair of “extremely critical” Firefox vulnerabilities after zero-day exploit code leaked onto the Internet and promised a comprehensive patch would be available soon.

      Mozillas public acknowledgement of the vulnerabilities includes a chilling warning that an attacker could combine the flaws to execute malicious code without user interaction.

      The vulnerabilities have been confirmed in Firefox 1.0.3. The Mozilla Suite is only “partially vulnerable” to the bugs, according to the Foundation.

      Firefox users are urged to disable JavaScript immediately as a temporary workaround. Additionally, Mozilla recommends that the browsers software installation feature be disabled. This can be done by unchecking the “Allow web sites to install software” box, which can be found by selecting Options on the Tools menu and then Web Features.

      Mozilla also modified the update servers to block a possible attack but made it clear this only provides partial protection. The updates were made to “update.mozilla.org” and “addons.mozilla.org,” the two sites white-listed by default in Firefox. Software installation requests will now be redirected to “do-not-add.mozilla.org” to stop the publicly available exploit code from targeting the two vulnerabilities.

      According to security alerts aggregator Sequoia, this is the first Firefox bug to carry an “extremely critical” rating. In a public advisory, Sequoia said the problem was detected in the way “IFRAME” JavaScript URLs are protected from being executed in the context of another URL in the history list.

      “This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an arbitrary site,” Sequoia warned in its advisory.

      Additionally, input passed to the “IconURL” parameter in the browsers “InstallTrigger.install()” feature is not properly verified before being used. “This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL,” the company said.

      By default, only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability allows this to be exploited from any malicious site.

      The flaws and accompanying attack scenario were first discovered by security researchers at the Greyhats Security Group, which published a detailed technical explanation of the exploits. The research firm was quietly working with the Mozilla Foundation to create and deploy a patch but was forced to go public after FrSIRT (French Security Incident Response Team) published the exploit code.

      The latest security hiccups follow a rapid batch of patches from Mozilla for Firefox flaws. In late February, Mozilla shipped a major security makeover to provide a temporary workaround for a widely reported IDN (International Domain Name) bug, and to correct two serious flaws that could allow malicious attackers to spoof the source displayed in the “Download Dialog” box or to spoof the content of Web sites.

      Two weeks later, Mozilla rolled out Firefox 1.0.3 to correct a serious vulnerability caused by the way GIF files are processed by the browser.

      Then, on April 16, another Firefox refresh shipped to correct a JavaScript Engine flaw that put users at risk of information disclosure attacks.

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Ryan Naraine

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.