critical flaw in firefox - GoFuckYourself.com

SmokeyTheBear · 05-09-2005, 06:16 PM

http://story.news.yahoo.com/s/pcworld/120756

Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.

The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

Two Vulnerabilities Found
The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.

SmokeyTheBear · 05-09-2005, 06:19 PM

heres a test to see if your vulnerable
here

MrJackMeHoff · 05-09-2005, 06:23 PM

the exploit was already fixed long ago

SmokeyTheBear · 05-09-2005, 06:24 PM

Quote:

Originally Posted by MrJackMeHoff

the exploit was already fixed long ago

they patched part of it, and it was only a few days ago

GatorB · 05-09-2005, 06:25 PM

Quote:

Originally Posted by MrJackMeHoff

the exploit was already fixed long ago

Yeah today at the earliest if it has been. Nice try. First reported a week ago, but not to public. So your computer has been vunerable for a week.

pornguy · 05-09-2005, 06:26 PM

Thanks for the info smokey.

Furious_Female · 05-09-2005, 07:59 PM

It was only a matter of time...

at the people who think Firefox is God's gift to the internet.

IE 4 lyfe

Spunky · 05-09-2005, 08:04 PM

I gave up on it after it took control of too many things and I couldn't change it back

reynold · 05-09-2005, 08:29 PM

thanks for the info smokey bear!

05-09-2005, 06:16 PM	#1
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	critical flaw in firefox http://story.news.yahoo.com/s/pcworld/120756 Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned. The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system. A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts. The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating. In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser. Two Vulnerabilities Found The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist. The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers. Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned. "We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org. __________________ hatisblack at yahoo.com

05-09-2005, 06:19 PM	#2
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	heres a test to see if your vulnerable here __________________ hatisblack at yahoo.com

05-09-2005, 06:23 PM	#3
MrJackMeHoff Confirmed User Join Date: Mar 2004 Location: LOLLIPOP ISLAND =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-= Posts: 4,569	the exploit was already fixed long ago __________________

05-09-2005, 06:26 PM	#6
pornguy Too lazy to set a custom title Industry Role: Join Date: Mar 2003 Location: Homeless Posts: 62,911	Thanks for the info smokey. __________________ PornGuy skype me pornguy_epic AmateurDough The Hottes Shemales online! TChicks.com \| Angeles Cid \| Mariana Cordoba \| MAILERS WELCOME!

05-09-2005, 07:59 PM	#7
Furious_Female Confirmed User Industry Role: Join Date: Oct 2002 Location: Upstate, New York Posts: 8,187	It was only a matter of time... at the people who think Firefox is God's gift to the internet. IE 4 lyfe __________________ Skype: j3nn.com ICQ 160370494 My current favorite high-converting sponsor: CrakRevenue

05-09-2005, 08:04 PM	#8
Spunky I need a beer Industry Role: Join Date: Jun 2002 Location: ♠ Toiletville ♠ Posts: 133,944	I gave up on it after it took control of too many things and I couldn't change it back __________________ *YOUR INFORMATION HERE*

05-09-2005, 08:29 PM	#9
reynold Too lazy to set a custom title Join Date: Oct 2002 Location: Global Traveler Posts: 51,271	thanks for the info smokey bear!