AT&T Tech Support 360
- Related Stories
-
Bugs put heat on Firefox
April 19, 2005 -
Mozilla flaws could allow attacks, data access
April 18, 2005 -
Flaw found in Firefox
April 5, 2005
The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday.
News.blog
Security
Get our reporters'
take on what's happen-
ing in the world of
spam and scams.
The two vulnerabilities, when combined, can be exploited, but no known cases have yet emerged where an attacker took advantage of the public exploit code.
One flaw involves "IFRAME" JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list.
"If you visit a malicious Web site, it can steal cookie information from other Web sites you had previously visited," said Thomas Kristensen, Secunia's chief technology officer. The attacker could then use that information to engage in identity theft or gain access to other password-protected sites that the victim visited.
A second vulnerability exists in the IconURL parameter in InstallTrigger.install(). Information passed to this parameter is not properly verified before it's used, allowing an attacker to gain user privileges. This flaw could allow an attacker to gain and escalate user privileges on a system.
People who want new extensions or themes need to go to the Mozilla update service. These extensions and themes will need to be manually installed.
Since the vulnerabilities were discovered over the weekend, the Mozilla Foundation, which owns Firefox, has taken preventive measures.
Mozilla has changed its update Web service and advises people to temporarily disable JavaScript.
However, people who download and install the Mozilla software from third-party sites are still at risk, Kristensen said.
"The threat still exists but is less critical now," he noted. "People can go to third-party sites to install the software, but it's not going to happen on as wide a scale as it had with the Mozilla sites."
See more CNET content tagged:
Mozilla Corp.,
vulnerability,
Firefox,
attacker,
flaw
product is less secure than others. Everything you use on your
computer can have some aspect of insecurity. Some are more
secure than others.
Even Mac, paraded for it's security, has had bugs and holes in
the past. What put Mac on top for security is the limited amount
of these and the quick turn around time for Apple to patch
them.
Just because a fault has been found doesn't mean Firefox is
more insecure than IE. In short time Mozilla will most likely put
out a patch for this problem.
I think the bigger picture here is how fast it is fixed excluding work arounds.
I suppose that the real questions are...
How critical is the flaw? How fast is a patched delivered? How complete is the patch? And how well is the patch delivered?
As far as comparing browsers goes I think you could compare them based on the following.
How well does it support standards or "recomendations"?
How much bloat does it have?
How user friendly is it?
How supported is it?
How does the company deal with flaws?
How fast does it render pages?
How well implamented is its security?
How many net related protocols does it support?
I'm sure others could add to this list.
In my opinion it comes down to how they all compare placed on an even field.
- Secunia (and other security companies of course) only lists PUBLICLY known exploits and is NOT a measure of product quality. For that reason Firefox may appear to have more vulnerabilities but that is more likely due to the source code being public and freely available to security firms.
- Mozilla has effectively disabled the remote system access exploit, as mentioned in the article within a few days of the exploit becoming publicly known. The worst of the exploits has ALREADY been mitigated.
- These exploits were known May 2nd, discovered by two guys: Paul of Greyhats Security Group and Michael Krax (who had received a Bug bounty of $2500 for discovering 5 other exploits). The exploits were restricted to security related people until the Mozilla group could come around to fixing it.
Here's the important part:
Some IDIOT released information on that exploit without Mozilla, Paul, or Michael's permission, thereby exposing 50 million users. Paul believes somebody hacked his server.
- Because of this, this is the ONLY reason why the flaw is even listed on Secunia as critical. Michael Krax himself found 5 security flaws, however they were silently fixed and they do not appear on Secunia.
- It's still safe to say that Firefox is secure because the whole system is excellent. Just because there's one critical flaw doesn't automatically make Firefox a bad browser. Mozilla will probably release a new version in a few days. Microsoft releases Internet Explorer patches on the second Tuesday of each month. Go figure. Mozilla also rewards people who find a security bug with $500. What an awesome incentive!
What is interesting is how long it takes MS to release a patch. Sometimes, the patches come out relatively quickly (quicker than Firefox), and yet at other times, it takes them MONTHS to address the issue.
WRONG. Disabling JavaScript was Secunia's idea and Mozilla has suggested a better way. Quote from MozillaZine : "The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation eliminates the problem."
So for work I'll be sticking with IE and for home Opera (btw, for home I'm not saying Opera is better, it's just my preference).
OK. I'm ready for the evangelical replies.
So, everyone's running the most updated version of IE because of it, and there are no insecure versions of it being run by users?
Hmmm. . .I didn't realize that automatic updates were a cure-all.
Evanginical enough a reply for you?
One thing that does amaze me is that it seams like those who cursed those security experts for releasing the vulnerabilities only after a month or two for IE are now over joyed that Firefox's flaws get publicized only day's after it is found.
I understand the need to get behind one side or the other, but we aren't really doing anybody any good. Debating computer has (or always has been) like debate religion. Everybody is always on the right side. That's just my opinion.
This is nothing new. Internet explorer is the best example. It is one of the best browsers. However it stopped being just a browser after version 3.0.
With every component of its being reusable, and features that competes with operating systems, Internet explorer code-base has become too complex.
With complexity it has now involved into big security risk. I am sure Firefox if it goes high on its success; shall land up into same insecure browser category.
http://news.com.com/Critical+flaws+in+IE+and+Outlook+discovered/2100-1002_3-5650238.html?tag=cd.hed
I am not making excuses for the flaw, however, giving their previous track record, you can be sure there will be an updated version shortly...
The point I'm reaching at is though the Firefox programmers aren't as newb as I am in programming, they are still human, and flaws are expected. It's just a matter of getting them fixed quick enough before something extreme occurs (mass infection of viruses, hacks, etc.).
- Release candidates available!
-
by hion2000
May 10, 2005 2:47 PM PDT
- http://weblogs.mozillazine.org/asa/archives/008121.html
-
Reply to this comment
-
See all 37 Comments >>That, my friends is why we back Mozilla and not Microsoft. One exploit disabled within hours, both fixed in under two days.
Bravo :)