Check the new version here

Popular channels

Mozilla Arbitrary Code Execution Security Flaw

A security flaw that allows a malicious site to execute arbitrary code on a user's system has been discovered in Mozilla Firefox. Secunia has probably the one of the more accurate and concise write-ups of the code execution vulnerability. It appears to be the first "Extremely critical" Firefox flaw logged by Secunia.

The advisory explains that a successful attack involves exploiting two flaws: one involves tricking Firefox into thinking a software installation is being triggered by a whitelisted site, while the other relies on the software installation trigger not sufficiently checking icon URLs containing JavaScript code. The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds) eliminates the problem. We understand that a change made to Mozilla Update has made the vulnerability effectively unexploitable if you only have update.mozilla.org and addons.mozilla.org in your software installation whitelist (accessible from the Web Features or Content panel in the Options/Preferences window), which is the default setting.

The vulnerability was discovered by Paul of Greyhats Security Group and Michael "mikx" Krax. Paul has written a detailed technical explanation of how the exploit works. On a specially crafted page, the attacker first uses frames and a JavaScript history flaw to make it appear that a software installation is being triggered from addons.update.mozilla.org, one of the few sites allowed to install software by default. With this hurdle out of the way, the attacker can attempt to do some real damage. One of the parameters passed to the software installation method is an icon URL, which can be a piece of JavaScript code. As this JavaScript is executed from the chrome (the browser user interface rather than a Web page), it has 'full chrome privileges' and can do anything that the user running Firefox can. The attacker can therefore pass in some malicious JavaScript and run arbitrary code on the victim's system.

The vulnerability requires the attacker to trigger an install that appears to come from a whitelisted site. Fortunately, the Mozilla Foundation controls all of the sites in the default software installation whitelist, which has allowed them to take some preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain. We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk.

Paul and mikx reported the vulnerability to the Mozilla Foundation and bug 292691 was filed on Monday 2nd May. In line with the Mozilla security bugs policy, access to the bug report was restricted to members of the security team. However, somebody else found out and leaked the details of the exploit. The French Security Incident Response Team (FrSIRT) was one of the first security companies to publish an advisory based on the leaked information. In a message to the Full Disclosure mailing list, Paul criticised the individual who leaked the details of the Firefox code execution exploit, condemning his or her actions as "inconsiderate" and "irresponsible". Since the exploit became public knowledge, several duplicate bug reports have been filed, including bug 293302.

We anticipate that the Mozilla Foundation will release a Firefox 1.0.4 update shortly.

Update: The Mozilla Foundation has posted a Security Alert. It reads: "The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a 'proof of concept' has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript."

Another Update: The Mozilla Foundation has published Mozilla Foundation Security Advisory 2005-42, its official statement on the arbitrary code execution vulnerability. The recommended workaround is to disable JavaScript.


Herramientas -> Opciones -> Caracteristicas Web .. y desactiven el javascript




Saludos
0
7
0
0
7Comments