For the fourth time in three months, major security flaws in the upstart Firefox Web browser have pushed volunteers at the Mozilla Foundation into damage-control mode.
The open-source group late Sunday rushed out a partial fix for a pair of “extremely critical” Firefox vulnerabilities after zero-day exploit code leaked onto the Internet and promised a comprehensive patch would be available soon.
Mozillas public acknowledgement of the vulnerabilities includes a chilling warning that an attacker could combine the flaws to execute malicious code without user interaction.
The vulnerabilities have been confirmed in Firefox 1.0.3. The Mozilla Suite is only “partially vulnerable” to the bugs, according to the Foundation.
Mozilla also modified the update servers to block a possible attack but made it clear this only provides partial protection. The updates were made to “update.mozilla.org” and “addons.mozilla.org,” the two sites white-listed by default in Firefox. Software installation requests will now be redirected to “do-not-add.mozilla.org” to stop the publicly available exploit code from targeting the two vulnerabilities.
“This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an arbitrary site,” Sequoia warned in its advisory.
By default, only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability allows this to be exploited from any malicious site.
The flaws and accompanying attack scenario were first discovered by security researchers at the Greyhats Security Group, which published a detailed technical explanation of the exploits. The research firm was quietly working with the Mozilla Foundation to create and deploy a patch but was forced to go public after FrSIRT (French Security Incident Response Team) published the exploit code.
The latest security hiccups follow a rapid batch of patches from Mozilla for Firefox flaws. In late February, Mozilla shipped a major security makeover to provide a temporary workaround for a widely reported IDN (International Domain Name) bug, and to correct two serious flaws that could allow malicious attackers to spoof the source displayed in the “Download Dialog” box or to spoof the content of Web sites.
Two weeks later, Mozilla rolled out Firefox 1.0.3 to correct a serious vulnerability caused by the way GIF files are processed by the browser.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.