Posted on 05/09/2005 7:00:15 AM PDT by holymoly
Firefox seems to be heading Internet Explorer's way with security research company Secunia stating on its website that two vulnerabilities found in the popular browser can be exploited to conduct cross-site scripting attacks and compromise a user's system.
The Mozilla Foundation is aware of the two potentially critical Firefox security vulnerabilities. They maintain that there are currently no known active exploits of these vulnerabilities though a "proof of concept" has been reported.
Mozilla stated that it is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves by temporarily disabling JavaScript.
According to Secunia the problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
It seems that input passed to the "IconURL" parameter in "InstallTrigger.install" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
A combination of the vulnerabilities can be exploited to execute arbitrary code.
Secunia also claims that the exploit code is publicly available. So far the vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of the vulnerabilities to execute arbitrary code in the default settings of Firefox.
"That's false. Unlike many "alternative" browsers, Opera has it's own engine."
Oh, thanks for setting me straight on that. I'll have to take a more serious look at Opera then. It looks like a very nice browser but I was leary about the engine.
I currently use Firefox and have for several years with no problems at all.
Who cares why? I just want safe more hassle-free computing. The rest is theoretical esoterica: interesting to debate, irrelevant when choosing a computer/browser.
Yeah, really. Somebody flunked headline writing class at journalism school.
Bush2000, you're alive! I thought you were banned by now :)
It wasn't a non-sequitir, but I did leave myself open. Let me put it this way, an equivalent set of programmers writing a Firefox, or an IE, will inherently end up with more vulnerabilities with an IE because there is so much more going on at a lower level in the operating system. That's just a logical fact.
If IE were split off from the operating system, it would be less vulneerable to system destroying exploits. Why would I write a crappy Firefox virus when I could destroy western civilization by driving a core through Internet Explorer on every machine?
OK. Post #8 in this very thread.
He not only used the word "Only," but he bolded it and used all-caps.
That pretty much means that he considers all code to be equally insecure.
Almost every single thread about software, someone will bring up some variation of the above line. I've gotten so sick of seeing it, that I have a preformatted reply that exposes it for the FUD that it is.
Oh, I don't know. Perhaps as someone else already said on this thread, it might be done for the bragging rights of having created the first successful virus/worm to attack Macs.
I've seen this charge that the small market share that Mac and Linux have is what keeps them safe. It is repeated often enough and seems reasonable enough until you actually look at the history of some other worms/viruses.
Consider: the spread of the Witty Worm.
Quoth the poster:
Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. While Witty took 30 minutes longer than SQL Slammer to infect its vulnerable population, both worms spread far faster than human intervention could stop them. In the past, users of software that is not ubiquitously deployed have considered themselves relatively safe from most network-based pathogens. Witty demonstrates that a remotely accessible bug in any minimally popular piece of software can be successfully exploited by an automated attack.
I suspect there are more than 12,000 Linux and/or Mac hosts out there on the internet.
Also, consider that the folks who were hit with this were also among the more security-concious users:
The vulnerable host population pool for the Witty worm was quite different from that of previous virulent worms. Previous worms have lagged several weeks behind publication of details about the remote-exploit bug, and large portions of the victim populations appeared to not know what software was running on their machines, let alone take steps to make sure that software was up to date with security patches. In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software. The Witty worm also started to spread the day after information about the exploit and the software upgrades to fix the bug were available.
Show me a successful worm/virus against Macs and I'll listen. Until then, your talking point is FUD.
A full discussion of the 'witty' worm can be found Here
Source: http://news.yahoo.com/s/pcworld/120756
Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.
The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.
A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.
The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.
In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.
Two Vulnerabilities Found
The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.
The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.
Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.
"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.
Very good, but IMHO you should add the even better example of the web servers. I forget which two servers we're talking about (I want to say Apache and IIS, but don't hold me to that), but in any case one of the servers has a far lower market share than the other, yet gets successfully attacked far more. Somebody made a great post about it on FR somewhere not too long ago.
Apache is definitely one of the best examples, but it is somewhat lessened in impact since Apache runs on Windows as well as Unix. Perhaps I'll be able to find some good stats that breaks usage down by OS.
Thanks for the suggestion. I'll see what I can do. If you happen to locate any other posts with similar stuff, feel free to ping me to the threads.
My wishes are here now.
Get ready to start patching.
I run software update about once a month or when necessary. That's it. No other malware, virus protection, hassles, costs involved.
But at least you won't have M$ to kick around, eh?
I'm happy with Microsoft now - it keeps our support people quite busy. But if a user can do without them, they'll have less hassle and more safety.
Dunno why anyone would wish otherwise.
I'm curious: Why do you think we are forever doomed to the current status quo of internet computing? Do you think things will never get better in terms of security cost, hassle and safety?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.