FireFox Browsers Suceptible to Malicious Code... Here's the temp fix...

Taco John · 05-09-2005, 02:40 PM

The fix: Users can protect themselves by temporarily disabling JavaScript, according to Mozilla.

The problem:

May 9, 2005
Two Holes Poke Firefox Veneer
By Tim Gray

It seems Mozilla's Firefox, the undisputed darling of the alternative browser set, isn't immune after all to the slings and arrows suffered by other popular interfaces.

On Saturday the Greyhats Security Group punctured the browser's aura of invincibility after it released details of two flaws that allow a malicious site to execute arbitrary code.

The advisory explains that the successful attacks involve two elements. The first flaw fools the browser into thinking software is being installed by a "whitelisted site." The second flaw occurs when the software installation trigger does not sufficiently check icon URLs containing JavaScript code.

Users can protect themselves by temporarily disabling JavaScript, according to Mozilla.

Less than a week after the foundation trumpeted breaking the 50 million download mark, the browser is dealing with what has been called by Danish security firm Secunia its first "extremely critical" bug.

The Mozilla Foundation said there are currently no known active exploits of these vulnerabilities, although a "proof of concept" has been reported.

Greyhats said an attacker can first use frames and a JavaScript history flaw to make it appear that a software installation is being triggered from add-ons.update.mozilla.org.

As the JavaScript is executed from the chrome, it has "full chrome privileges" and can "do anything that the user running Firefox can."

"Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the foundation said on its Web site.

Numerous security outfits agree with the foundation's suggestions of disabling JavaScript as a workaround.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement.

http://www.internetnews.com/security...le.php/3503506

Taco John · 05-09-2005, 02:41 PM

You probably won't have to worry about it if you don't surf for porn, warez, or serialz.

**dirk digler** · 05-09-2005, 02:44 PM

Quote:

Originally Posted by ENDelt260

Start the countdown to Parker's appearance in this thread.

No shit I am glad I didn't post this. He rips me every time when I mention FireFox.

Anyway shouldn't this be in Geeksplanet?

teedubya · 05-09-2005, 02:46 PM

Quote:

Originally Posted by dirk digler

No shit I am glad I didn't post this. He rips me every time when I mention FireFox.

Anyway shouldn't this be in Geeksplanet?

It will be, Dirk... IT WIIIIILLL BEEEEEEEE. [/ yoda]

Ultra Peanut · 05-09-2005, 02:46 PM

Quote:

Originally Posted by ENDelt260

Start the countdown to Parker's appearance in this thread.

Chest Rockwell · 05-09-2005, 02:47 PM

Quote:

Originally Posted by Taco John

You probably won't have to worry about it if you don't surf for porn, warez, or serialz.

Yeah, what am I, made of stone?

Thanks for the heads up.

**dirk digler** · 05-09-2005, 02:48 PM

Quote:

Originally Posted by Ali Chi3fs

It will be, Dirk... IT WIIIIILLL BEEEEEEEE. [/ yoda]

Thanks Yoda!

Mr. Laz · 05-09-2005, 02:51 PM

Quote:

Originally Posted by ENDelt260

Start the countdown to Parker's appearance in this thread.

russ or parker ... who shows themselves first?

"buh,buh, but ... everyone here says firefox is perfect"

"everyone knows that only IE has security issues ..."

"only the geniouses says that ..."

tk13 · 05-09-2005, 03:01 PM

The invincible Firefox, busted AGAIN!!!

(Sorry, wanted to be the first to do that.)

**morphius** · 05-09-2005, 03:04 PM

I believe the MAC Safari browser was shown to have a mighty huge whole in it as well.

http://it.slashdot.org/it/05/05/08/2...&tid=179&tid=3

|Zach| · 05-09-2005, 03:10 PM

I still love me some Firefox.

PhogPhanTim · 05-09-2005, 03:12 PM

Gotta agree.

Anyone blind enough to still think IE is better than FireFox is a fool. A damn fool.

HC_Chief · 05-09-2005, 03:13 PM

The greater the distribution of the product, the more likely flaws/security 'holes' will be uncovered. It's the nature of the beast.

|Zach| · 05-09-2005, 03:13 PM

Quote:

Originally Posted by PhogPhanTim

Gotta agree.

Anyone blind enough to still think IE is better than FireFox is a fool. A damn fool.

ChiefsOne · 05-09-2005, 03:19 PM

I use Camino and don't have any problems.

05-09-2005, 02:40 PM
Taco John Sapere Aude Join Date: Jun 2001 Casino cash: $427937	FireFox Browsers Suceptible to Malicious Code... Here's the temp fix... The fix: Users can protect themselves by temporarily disabling JavaScript, according to Mozilla. The problem: May 9, 2005 Two Holes Poke Firefox Veneer By Tim Gray It seems Mozilla's Firefox, the undisputed darling of the alternative browser set, isn't immune after all to the slings and arrows suffered by other popular interfaces. On Saturday the Greyhats Security Group punctured the browser's aura of invincibility after it released details of two flaws that allow a malicious site to execute arbitrary code. The advisory explains that the successful attacks involve two elements. The first flaw fools the browser into thinking software is being installed by a "whitelisted site." The second flaw occurs when the software installation trigger does not sufficiently check icon URLs containing JavaScript code. Users can protect themselves by temporarily disabling JavaScript, according to Mozilla. Less than a week after the foundation trumpeted breaking the 50 million download mark, the browser is dealing with what has been called by Danish security firm Secunia its first "extremely critical" bug. The Mozilla Foundation said there are currently no known active exploits of these vulnerabilities, although a "proof of concept" has been reported. Greyhats said an attacker can first use frames and a JavaScript history flaw to make it appear that a software installation is being triggered from add-ons.update.mozilla.org. As the JavaScript is executed from the chrome, it has "full chrome privileges" and can "do anything that the user running Firefox can." "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the foundation said on its Web site. Numerous security outfits agree with the foundation's suggestions of disabling JavaScript as a workaround. "We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement. http://www.internetnews.com/security...le.php/3503506
Posts: 79,765

05-09-2005, 02:41 PM	#2
Taco John Sapere Aude Join Date: Jun 2001 Casino cash: $427937	You probably won't have to worry about it if you don't surf for porn, warez, or serialz. __________________ Ehyeh asher ehyeh. Donger's Razor: "The most establishment-friendly explanation that gives leftist and neocon politicians the most amount of cover is the only possible explanation, even when gaping holes and leaps of logic are required to get there."
Posts: 79,765

05-09-2005, 03:01 PM	#9
tk13 ... Join Date: Nov 2001 Casino cash: $-1907500	The invincible Firefox, busted AGAIN!!! (Sorry, wanted to be the first to do that.)
Posts: 56,727

05-09-2005, 03:04 PM	#10
morphius World's finest morphius Join Date: Aug 2000 Casino cash: $5725027	I believe the MAC Safari browser was shown to have a mighty huge whole in it as well. http://it.slashdot.org/it/05/05/08/2...&tid=179&tid=3
Posts: 26,023

05-09-2005, 03:10 PM	#11
\|Zach\| For The Glory Of The City Join Date: Sep 2002 Location: Kansas City Casino cash: $3016768	I still love me some Firefox.
Posts: 54,737

05-09-2005, 03:12 PM	#12
PhogPhanTim Starter Join Date: Mar 2005 Casino cash: $10004900	Gotta agree. Anyone blind enough to still think IE is better than FireFox is a fool. A damn fool.
Posts: 41

05-09-2005, 03:13 PM	#13
HC_Chief That's just f***in' stupid Join Date: Aug 2000 Location: suburbia Casino cash: $3687107	The greater the distribution of the product, the more likely flaws/security 'holes' will be uncovered. It's the nature of the beast. __________________ "Gentlemen, you can't fight in here, this is the war room!"
Posts: 12,355

05-09-2005, 03:19 PM	#15
ChiefsOne Veteran Join Date: Oct 2000 Location: Springfield, MO Casino cash: $5058192	I use Camino and don't have any problems.
Posts: 2,284