May 9, 2005 8:14 AM PDT

Exploit code chases two Firefox flaws

Related Stories

Bugs put heat on Firefox

April 19, 2005

Mozilla flaws could allow attacks, data access

April 18, 2005

Flaw found in Firefox

April 5, 2005
Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them.

The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday.


News.blog
Security
Get our reporters'
take on what's happen-
ing in the world of
spam and scams.

The two vulnerabilities, when combined, can be exploited, but no known cases have yet emerged where an attacker took advantage of the public exploit code.

One flaw involves "IFRAME" JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list.

"If you visit a malicious Web site, it can steal cookie information from other Web sites you had previously visited," said Thomas Kristensen, Secunia's chief technology officer. The attacker could then use that information to engage in identity theft or gain access to other password-protected sites that the victim visited.

A second vulnerability exists in the IconURL parameter in InstallTrigger.install(). Information passed to this parameter is not properly verified before it's used, allowing an attacker to gain user privileges. This flaw could allow an attacker to gain and escalate user privileges on a system.

People who want new extensions or themes need to go to the Mozilla update service. These extensions and themes will need to be manually installed.

Since the vulnerabilities were discovered over the weekend, the Mozilla Foundation, which owns Firefox, has taken preventive measures.

Mozilla has changed its update Web service and advises people to temporarily disable JavaScript.

However, people who download and install the Mozilla software from third-party sites are still at risk, Kristensen said.

"The threat still exists but is less critical now," he noted. "People can go to third-party sites to install the software, but it's not going to happen on as wide a scale as it had with the Mozilla sites."

37 comments

Join the conversation!
Add your comment
I thought Firefox was secure?!!
Heck, I can get a unsecured browser by using IE. Now Firefox?
Posted by bobby_brady (765 comments )
Reply Link Flag
everything has its faults
Just because there is a listed exploit doesn't mean that the
product is less secure than others. Everything you use on your
computer can have some aspect of insecurity. Some are more
secure than others.

Even Mac, paraded for it's security, has had bugs and holes in
the past. What put Mac on top for security is the limited amount
of these and the quick turn around time for Apple to patch
them.

Just because a fault has been found doesn't mean Firefox is
more insecure than IE. In short time Mozilla will most likely put
out a patch for this problem.
Posted by quantum0726 (10 comments )
Link Flag
Vulnerability leaked irresponsibly
Something not mentioned by the article is that the vulnerability was revealed irresponsibly: a bug report was filed with Mozilla on May 2, but some nitwit revealed the problem and an exploit on May 7, too early for Mozilla to release a fix, thereby seriously exacerbating the risk.
Posted by cupsdell (12 comments )
Link Flag
Firefox is still 99% more secure than IE
Get a life. Two flaws found which will be patched within a week, compared to IE which takes months, if at all, to get fixed.
Posted by Anonymous1234567890 (53 comments )
Link Flag
Firefox is Secure
Firefox is still in its infancy stages for God's sake it is still ver. 1.0.4. There are countless coders across the world that work on Firefox and have new daily builds that come out everynight. They address these kinds of issues as they come out. How long has Internet Explorer been out?, and yet they are less secure than a browser first released 7 months ago.
Posted by johnncyber (1 comment )
Link Flag
Just to be fair
I think we can all agree that Firefox has flaws. A flaw is a flaw regardless of whether or not it can/has been exploited.

I think the bigger picture here is how fast it is fixed excluding work arounds.

I suppose that the real questions are...

How critical is the flaw? How fast is a patched delivered? How complete is the patch? And how well is the patch delivered?

As far as comparing browsers goes I think you could compare them based on the following.

How well does it support standards or "recomendations"?
How much bloat does it have?
How user friendly is it?
How supported is it?
How does the company deal with flaws?
How fast does it render pages?
How well implamented is its security?
How many net related protocols does it support?

I'm sure others could add to this list.

In my opinion it comes down to how they all compare placed on an even field.
Posted by System Tyrant (1453 comments )
Reply Link Flag
Lots of points to make:
- Opera has had at least 1 critical security exploit before, while Internet Explorer clocks in at 11 extremely critical, and 24 highly critical, despite being the 6th major version. Firefox, being the new kid on the block, has

- Secunia (and other security companies of course) only lists PUBLICLY known exploits and is NOT a measure of product quality. For that reason Firefox may appear to have more vulnerabilities but that is more likely due to the source code being public and freely available to security firms.

- Mozilla has effectively disabled the remote system access exploit, as mentioned in the article within a few days of the exploit becoming publicly known. The worst of the exploits has ALREADY been mitigated.

- These exploits were known May 2nd, discovered by two guys: Paul of Greyhats Security Group and Michael Krax (who had received a Bug bounty of $2500 for discovering 5 other exploits). The exploits were restricted to security related people until the Mozilla group could come around to fixing it.

Here's the important part:

Some IDIOT released information on that exploit without Mozilla, Paul, or Michael's permission, thereby exposing 50 million users. Paul believes somebody hacked his server.

- Because of this, this is the ONLY reason why the flaw is even listed on Secunia as critical. Michael Krax himself found 5 security flaws, however they were silently fixed and they do not appear on Secunia.

- It's still safe to say that Firefox is secure because the whole system is excellent. Just because there's one critical flaw doesn't automatically make Firefox a bad browser. Mozilla will probably release a new version in a few days. Microsoft releases Internet Explorer patches on the second Tuesday of each month. Go figure. Mozilla also rewards people who find a security bug with $500. What an awesome incentive!
Posted by hion2000 (115 comments )
Reply Link Flag
Generally correct...
Except that MS can, and has, released critical security fixes out of cycle.

What is interesting is how long it takes MS to release a patch. Sometimes, the patches come out relatively quickly (quicker than Firefox), and yet at other times, it takes them MONTHS to address the issue.
Posted by Tex Murphy PI (165 comments )
Link Flag
50 million downloads, not users
I hate to be a devil's advocate, but since you have to do a full download to update it, there is no way to reliably count real users. If an user went from 1.0.0 to 1.0.3, downloading all of them, this will be 4 (four) downloads.
Posted by alegr (1590 comments )
Link Flag
Cnet always gets at least one thing wrong
"Mozilla has changed its update Web service and advises people to temporarily disable JavaScript."

WRONG. Disabling JavaScript was Secunia's idea and Mozilla has suggested a better way. Quote from MozillaZine : "The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation eliminates the problem."
Posted by xpgeek11 (12 comments )
Reply Link Flag
Being picky there....
It's still the official word from Mozilla to disable Javascript. It may or may not have been their solution but they are still recommending that you turn off javascript.
Posted by hion2000 (115 comments )
Link Flag
Firefox it's far better and secure than IE STILL
I totally agree with Bob Mckaren. Firefox is still more secure and a better browser tha IE. Another important issue is that Firefox has only 4.2MB while my last IE upgrade(from 5.5 to 6) had more than 90MB, and I've did several critical updates, each one with several MB.
Posted by acarlos1000 (12 comments )
Reply Link Flag
Patchings the problem.
A lot of users have Automatic Updates turned on so at least their IE gets updated automatically when the patches appear. Is there an automatic way for Firefox. If there isn't you know that users are going to be running insecure versions no matter how fast the patches come out. Same for corporates. I have WUS turned on, on my network and can deploy patches to IE for 400 desktops with little effort. If they were all running Firefox I could still patch them with SMS but it's more work for the admin (and we don't like more work). For all it's shortcomings, IE on a secure network, regularly patched has never given us a problem in all the years we've been running Windows.
So for work I'll be sticking with IE and for home Opera (btw, for home I'm not saying Opera is better, it's just my preference).

OK. I'm ready for the evangelical replies.
Posted by (79 comments )
Reply Link Flag
Well. . .
Okay, MS has an automatic update service. True. This makes it easier for admins. I absolutely agree.

So, everyone's running the most updated version of IE because of it, and there are no insecure versions of it being run by users?

Hmmm. . .I didn't realize that automatic updates were a cure-all.

Evanginical enough a reply for you?
Posted by (282 comments )
Link Flag
I get your point
I just don't agree. That said I would rather know. Your assuming people will patch when the fix has been found. If that were the case we would have far less problems across the board. But thats not the case.
Posted by Buzz_Friendly (74 comments )
Reply Link Flag
Another opinion.
Firefox is not right for every enviroment. Some people don't like it for their own reasons. That's why it's called a choice. We should all be thankful that we have one (and we have more than IE and Firefox).

One thing that does amaze me is that it seams like those who cursed those security experts for releasing the vulnerabilities only after a month or two for IE are now over joyed that Firefox's flaws get publicized only day's after it is found.

I understand the need to get behind one side or the other, but we aren't really doing anybody any good. Debating computer has (or always has been) like debate religion. Everybody is always on the right side. That's just my opinion.
Posted by System Tyrant (1453 comments )
Reply Link Flag
Another Myth ends
I strongly believe how secure a product is inversely proportional to number of feature it provides. Firefox started with a clean simple browser. But with time it included complex feature like plugin support, theme support that has ultimately made it too complicated to be 100% bug free.
This is nothing new. Internet explorer is the best example. It is one of the best browsers. However it stopped being just a browser after version 3.0.
With every component of its being reusable, and features that competes with operating systems, Internet explorer code-base has become too complex.
With complexity it has now involved into big security risk. I am sure Firefox if it goes high on its success; shall land up into same insecure browser category.
Posted by (29 comments )
Reply Link Flag
just compare
Similar vulnerability, similar situation, only on IE this time. Sounds to me they are not making a lot of fuzz out of it... "you have to be tricked"... Yeah right... Don't hear the same tone in the firefox reporting...

<a class="jive-link-external" href="http://news.cbsi.com/Critical+flaws+in+IE+and+Outlook+discovered/2100-1002_3-5650238.html?tag=cd.hed" target="_newWindow">http://news.cbsi.com/Critical+flaws+in+IE+and+Outlook+discovered/2100-1002_3-5650238.html?tag=cd.hed</a>

I am not making excuses for the flaw, however, giving their previous track record, you can be sure there will be an updated version shortly...
Posted by Steven N (487 comments )
Reply Link Flag
Which will be fixed first?
IE for Win2K or Firefox? The Win2K IE flaw has been known and not fixed for quite a while, so MS has a head start. Who will finish first?
Posted by amadensor (248 comments )
Reply Link Flag
they're not noobs; they're human
I write simple console Java applications, and every so often I'll make a simple mistake and the next thing I know, I've got animations jumping on top of each other and moving in directions they aren't supposed to.

The point I'm reaching at is though the Firefox programmers aren't as newb as I am in programming, they are still human, and flaws are expected. It's just a matter of getting them fixed quick enough before something extreme occurs (mass infection of viruses, hacks, etc.).
Posted by onux16 (12 comments )
Reply Link Flag
Release candidates available!
<a class="jive-link-external" href="http://weblogs.mozillazine.org/asa/archives/008121.html" target="_newWindow">http://weblogs.mozillazine.org/asa/archives/008121.html</a>

That, my friends is why we back Mozilla and not Microsoft. One exploit disabled within hours, both fixed in under two days.

Bravo :)
Posted by hion2000 (115 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.