News
News
5/9/2005
01:39 PM
Connect Directly
RSS
E-Mail
50%
50%

'Extremely Critical' Bugs Found In Firefox

A pair of unpatched vulnerabilities in Mozilla's Firefox browser could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla says.

A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday.

Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites.

The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.

According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.

"Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit," the Foundation announced on its security site Sunday. Specifically, Mozilla re-pointed the two update sites to a new URL, and instructed users not to add that new site to their list of Allowed Sites. The change, however, only defends against the current proof-of-concept that's circulating, not the vulnerabilities themselves.

While that reduced the risk of an immediate attack, Mozilla doesn't have control over the numerous sites that users might have added to their Allow, or whitelist, list. Popular plug-ins, called "extensions" by Firefox, could also be the root of attacks, since users must give an extension site installation permission. To close all possible doors, Mozilla recommended that users either disable JavaScript or turn off installation from Web sites. To disable Web site software installs, users can select Tools/Options/Preferences in Firefox 1.0.3, the current edition. Users can still install extensions or user interface themes manually by first downloading the file, then running them from Firefox's File menu.

A security update -- which will be dubbed Firefox 1.0.4 -- will be issued as soon as possible. "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the organization's security alert continued.

While the leaked information included proof-of-concept code that demonstrated how a malicious site could run code of the attacker's choice and install it on machines using Firefox, Mozilla discounted the risk. "There are currently no known active exploits of these vulnerabilities," it said Sunday. The release of Firefox 1.0.4 would be the fourth security update to the browser since the beginning of the year. Others appeared in late February, late March, and mid-April. In that time, Microsoft has released two patches for its Internet Explorer browser.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.