FireFox Browsers Suceptible to Malicious Code... Here's the temp fix... - Page 2

Taco John · 05-09-2005, 02:40 PM

The fix: Users can protect themselves by temporarily disabling JavaScript, according to Mozilla.

The problem:

May 9, 2005
Two Holes Poke Firefox Veneer
By Tim Gray

It seems Mozilla's Firefox, the undisputed darling of the alternative browser set, isn't immune after all to the slings and arrows suffered by other popular interfaces.

On Saturday the Greyhats Security Group punctured the browser's aura of invincibility after it released details of two flaws that allow a malicious site to execute arbitrary code.

The advisory explains that the successful attacks involve two elements. The first flaw fools the browser into thinking software is being installed by a "whitelisted site." The second flaw occurs when the software installation trigger does not sufficiently check icon URLs containing JavaScript code.

Users can protect themselves by temporarily disabling JavaScript, according to Mozilla.

Less than a week after the foundation trumpeted breaking the 50 million download mark, the browser is dealing with what has been called by Danish security firm Secunia its first "extremely critical" bug.

The Mozilla Foundation said there are currently no known active exploits of these vulnerabilities, although a "proof of concept" has been reported.

Greyhats said an attacker can first use frames and a JavaScript history flaw to make it appear that a software installation is being triggered from add-ons.update.mozilla.org.

As the JavaScript is executed from the chrome, it has "full chrome privileges" and can "do anything that the user running Firefox can."

"Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the foundation said on its Web site.

Numerous security outfits agree with the foundation's suggestions of disabling JavaScript as a workaround.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement.

http://www.internetnews.com/security...le.php/3503506

Kerberos · 05-09-2005, 03:39 PM

I use firefox and IE and I like firefox allot. (tabbed browsing is the shit)

BUT... When firefox has been around as long as IE with as many users as IE then talk to me about how many holes it has and have been patched.

Microsoft gets picked on by hackers cause there are MILLIONS of people using it. So comparing firefoxes 5 exploits to microsofts 10,344,697 it is really stupid to think that its a fair comparison.

I will keep using firefox till IE has tabbed browsing. And I would bet my best friends paycheck that Microsoft will have it on IE 7 when it is released in the not so distant future. IMO

.

KCFalcon59 · 05-09-2005, 03:48 PM

Quote:

Originally Posted by rxrider

And I would bet my best friends paycheck that Microsoft will have it on IE 7 when it is released in the not so distant future..

Stay away from my paycheck man!!

Simplex3 · 05-09-2005, 04:02 PM

Quote:

Originally Posted by rxrider

Microsoft gets picked on by hackers cause there are MILLIONS of people using it...

...and because it's easy to hack by any 12 year old with a copy of notepad.

irishjayhawk · 05-09-2005, 04:18 PM

Quote:

Originally Posted by tk13

The invincible Firefox, busted AGAIN!!!

(Sorry, wanted to be the first to do that.)

Again, may i point out that the code is on the internet. Therefore finding bugs HELPS them. No one said it was immune but its not that hard for hackers to find flaws when they have the programs code in their possession.

FloridaChief · 05-09-2005, 04:21 PM

I just shutoff "Enable Java" on Firefox. Temporary fix to a temporary problem.

**morphius** · 05-12-2005, 07:37 AM

It looks like the fix is out already!

Just download and install 1.0.4.

http://www.mozilla.org/products/firefox/

jarjar · 05-12-2005, 08:00 AM

50 million downloads of firefox, it's getting up there. In the meanwhile we still get patches almost faster than the story breaks the media.

Ultra Peanut · 05-13-2005, 02:59 AM

Bumped to let everyone know that the fix is indeed out.

05-09-2005, 02:40 PM
Taco John Sapere Aude Join Date: Jun 2001 Casino cash: $427937	FireFox Browsers Suceptible to Malicious Code... Here's the temp fix... The fix: Users can protect themselves by temporarily disabling JavaScript, according to Mozilla. The problem: May 9, 2005 Two Holes Poke Firefox Veneer By Tim Gray It seems Mozilla's Firefox, the undisputed darling of the alternative browser set, isn't immune after all to the slings and arrows suffered by other popular interfaces. On Saturday the Greyhats Security Group punctured the browser's aura of invincibility after it released details of two flaws that allow a malicious site to execute arbitrary code. The advisory explains that the successful attacks involve two elements. The first flaw fools the browser into thinking software is being installed by a "whitelisted site." The second flaw occurs when the software installation trigger does not sufficiently check icon URLs containing JavaScript code. Users can protect themselves by temporarily disabling JavaScript, according to Mozilla. Less than a week after the foundation trumpeted breaking the 50 million download mark, the browser is dealing with what has been called by Danish security firm Secunia its first "extremely critical" bug. The Mozilla Foundation said there are currently no known active exploits of these vulnerabilities, although a "proof of concept" has been reported. Greyhats said an attacker can first use frames and a JavaScript history flaw to make it appear that a software installation is being triggered from add-ons.update.mozilla.org. As the JavaScript is executed from the chrome, it has "full chrome privileges" and can "do anything that the user running Firefox can." "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the foundation said on its Web site. Numerous security outfits agree with the foundation's suggestions of disabling JavaScript as a workaround. "We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement. http://www.internetnews.com/security...le.php/3503506
Posts: 79,765

05-09-2005, 03:39 PM	#16
Kerberos Chiefs Baby Join Date: Jan 2004 Location: Henderson, NV Casino cash: $10000632	I use firefox and IE and I like firefox allot. (tabbed browsing is the shit) BUT... When firefox has been around as long as IE with as many users as IE then talk to me about how many holes it has and have been patched. Microsoft gets picked on by hackers cause there are MILLIONS of people using it. So comparing firefoxes 5 exploits to microsofts 10,344,697 it is really stupid to think that its a fair comparison. I will keep using firefox till IE has tabbed browsing. And I would bet my best friends paycheck that Microsoft will have it on IE 7 when it is released in the not so distant future. IMO .
Posts: 5,638

05-09-2005, 04:21 PM	#20
FloridaChief Banned Join Date: Aug 2000 Location: Tampa Casino cash: $10004900	I just shutoff "Enable Java" on Firefox. Temporary fix to a temporary problem.
Posts: 5,271

05-12-2005, 07:37 AM	#21
morphius World's finest morphius Join Date: Aug 2000 Casino cash: $5725027	It looks like the fix is out already! Just download and install 1.0.4. http://www.mozilla.org/products/firefox/
Posts: 26,023

05-12-2005, 08:00 AM	#22
jarjar Starter Join Date: Dec 2004 Casino cash: $10004900	50 million downloads of firefox, it's getting up there. In the meanwhile we still get patches almost faster than the story breaks the media. __________________ FAN FOR LIFE
Posts: 240

05-13-2005, 02:59 AM	#23
Ultra Peanut v^V^v^V^v^V^ Join Date: Aug 2001 Location: Holland* Casino cash: $10005177	Bumped to let everyone know that the fix is indeed out. __________________
Posts: 39,518