You are here: silicon.com > Software > Security Strategy

Firefox open to exploit code attacks

Malicious websites can steal your cookies...

Tags: mozilla, firefox

By Dawn Kawamoto

Published: 10 May 2005 09:10 BST

Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them.

The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings at the weekend.

The two vulnerabilities, when combined, can be exploited, but no known cases have yet emerged where an attacker took advantage of the public exploit code.

One flaw involves "IFRAME" JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list.

Thomas Kristensen, Secunia's chief technology officer, said: "If you visit a malicious website, it can steal cookie information from other websites you have previously visited." The attacker could then use that information to engage in identity theft or gain access to other password-protected sites that the victim visited.

A second vulnerability exists in the IconURL parameter in InstallTrigger.install(). Information passed to this parameter is not properly verified before it's used, allowing an attacker to gain user privileges. This flaw could allow an attacker to gain and escalate user privileges on a system.

People who want new extensions or themes need to go to the Mozilla update service. These extensions and themes will need to be manually installed.

Since the vulnerabilities were discovered, the Mozilla Foundation, which owns Firefox, has taken preventive measures.

Mozilla has changed its update web service and advises people to temporarily disable JavaScript.

However, people who download and install the Mozilla software from third-party sites are still at risk, Kristensen said.

"The threat still exists but is less critical now," he noted. "People can go to third-party sites to install the software, but it's not going to happen on as wide a scale as it had with the Mozilla sites."

Dawn Kawamoto writes for CNET News.com

Add comment

Print story

Email story

RSS

You can use the Mozilla advised work-arounds to re...
Anonymous

Click here to see all

Mozilla: Firefox 'as safe as a condom'

Mozilla flaws reveal personal web data

Security flaw found in Firefox

Mozilla pays bug hunter $2,500 for Firefox flaw finds

In silicon.com

Commentary

Martin Brampton Brampton Factor: Open source stands up for its rights Copyright can keep the movement alive...

Bob Tarzey The rise and rise of Infor Quocirca's Straight Talking: Where next for the apps giant?

Latest News

IBM blade slashes security threat

UK crime fighters grapple with iPhone wipe threat

Microsoft criticises Google over privacy

Warning over wi-fi 'piggybackers'

Liverpool midwives cull paper with 3G laptops

One million bank customers' details sold on eBay

Jobs

IT Service Manager, Swindon (12 month fixed-term contract)

The successful candidate will be responsible for managing a third party service provider who delivers most of the ICT services and ensuring that all ...

CUSTOMER SERVICE MANAGER-IMMEDIATE- SURREY 45-50k

Also, to act as an escalation point between the Support Analysts and Support Manager, To support the service delivery manager in implementing a ...

VB/.Net Analyst Programmer - London -

The job-holder is also responsible for the integration of third party products into the overall suite of applications in use. Principal Duties: ...

Special Report Focus

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.