SI
SI
discoversearch

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor.  We ask that you disable ad blocking while on Silicon Investor in the best interests of our community.  If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.
Pastimes : Computer Learning
 Public ReplyPrvt ReplyMark as Last ReadFilePrevious 10Next 10PreviousNext  
From: Rainy_Day_Woman5/9/2005 1:28:29 PM
  Read Replies (1) of 110626
 
May 09, 2005
Firefox Cites Security Flaw: Suggests Disabling JavaScript

Two vulnerabilities in the popular Firefox browser were discovered over the weekend and have been rated "extremely critical" by the Security firm Secunia.

The advisory notes that the two vulnerabilities that have been discovered in the Firefox browser can be "exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system."

The tech stuff:

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

Firefox's popularity

The Firefox browser is incredibly popular for its speed and its features such as tabbed browsing. It recently passed 50 million downloads in late April. The browser still trails Microsoft's Internet Explorer by some margin, but users love it. However, many cite the main reason they switched to the new browser was security.

What to do:

Mozilla suggests temporarily disabling JavaScript in this release on Monday.

Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a "proof of concept" has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript.

Further information including the availability of updates will be posted at

www.mozilla.org.
Report TOU ViolationShare This Post
 Public ReplyPrvt ReplyMark as Last ReadFilePrevious 10Next 10PreviousNext  

HomeMailHotSubjectMarksPeopleMarksKeepersSettings
Terms Of UseContact UsCopyright/IP PolicyPrivacy PolicyAbout UsFAQAdvertise on SI
© 2026 Knight Sac Media.  Data provided by Twelve Data, Alpha Vantage, and CityFALCON News