Firefox Develops Security Holes

Techtree.com ^ | May 09, 2005 | Techtree News Staff

[holymoly]

Firefox seems to be heading Internet Explorer's way with security research company Secunia stating on its website that two vulnerabilities found in the popular browser can be exploited to conduct cross-site scripting attacks and compromise a user's system.

The Mozilla Foundation is aware of the two potentially critical Firefox security vulnerabilities. They maintain that there are currently no known active exploits of these vulnerabilities though a "proof of concept" has been reported.

Mozilla stated that it is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves by temporarily disabling JavaScript.

According to Secunia the problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

It seems that input passed to the "IconURL" parameter in "InstallTrigger.install" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

A combination of the vulnerabilities can be exploited to execute arbitrary code.

Secunia also claims that the exploit code is publicly available. So far the vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of the vulnerabilities to execute arbitrary code in the default settings of Firefox.

[MrsEmmaPeel]

IE - Of 80 total vulnerabilities - 14% Extremely Critical, 28% Highly Critical
Firefox - Of 16 total vulnerabilities - 6% Extremely Critical , 13% Highly Critical
The numbers speak for themselves...

Actually they do -- thanks for pointing that out. You neglected TIME (length of each app on the market, and time taken to isolate and fix the vulnerabilities.) The numbers says that 80 vulnerabilities in Explorer and only 16 have been fixed in Firefox. This pops the myth "that open source is more secure" because Firefox has been around a lot less then Explorer and still major vulnerabilities have been found. It would be an interesting data point to discover how many vulnerabilities Explorer had in the same time period as Firefox.

[frogjerk]

Actually they do -- thanks for pointing that out. You neglected TIME (length of each app on the market, and time taken to isolate and fix the vulnerabilities.) The numbers says that 80 vulnerabilities in Explorer and only 16 have been fixed in Firefox. This pops the myth "that open source is more secure" because Firefox has been around a lot less then Explorer and still major vulnerabilities have been found. It would be an interesting data point to discover how many vulnerabilities Explorer had in the same time period as Firefox.

I believe Firefox is based on the Mozilla/Netscape code and has been around for quite a while...

[Bush2000]

I believe Firefox is based on the Mozilla/Netscape code and has been around for quite a while...

Given that Firefox has as many as 20% of the vulnerabilities of IE in its short term of existence, that doesn't speak well to Firefox's future security liability...

[patj]

I recently downloaded Firefox and now find that if I close it I cannot reopen it without rebooting. Does anyone else have this problem with Firefox? Am I doing something wrong?

[D-fendr]

Ditto. So where's the downside for me?

Sorry, I misunderstood. I thought you were using antivirus, anti-spyware, multiple firewalls, and on the multiple OS, app upgrades... etc. train.

these series of patches are just your imagination.

Sorry again. I didn't mean to imply that absolutely nothing was required after buying the 'puter - only that an almost hassle-free secure computing environment exists today.

[D-fendr]

When you compare what we had just a few short years ago, the differences in terms of price and quality are enormous. And they're getting better.

Good to hear you say. I think the same will be true for security eventually. It may be the major software vendors or it may be with extending the security fence by ISPs or some combination. But I don't think the current security cost/vulnerability situation will continue indefinitely.

[frogjerk]

Given that Firefox has as many as 20% of the vulnerabilities of IE in its short term of existence, that doesn't speak well to Firefox's future security liability...

I fail to see the downside of using Firefox right now...If you are stating that it will be as insecure as the product that most users are using right now (IE), that does little to champion IE usage.

IE users:"Don't worry, Firfox will be as bad as us soon. So, use IE now and despair with us."

[frogjerk]

Which version are you using?

[general_re]

That's odd. It sounds like the process isn't terminating properly for some reason. The first thing I would suggest is disabling any extensions you've added and returning to the default skin if you've changed it. If that solves the problem, you can re-enable the extensions one at a time until you find the offender. If that doesn't fix it, or you don't have any extensions/skins in the first place, I would suggest uninstalling it and reinstalling it.

[Bush2000]

Sorry, I misunderstood. I thought you were using antivirus, anti-spyware, multiple firewalls, and on the multiple OS, app upgrades... etc. train.

I do have wireless AP which also serves as a hardware firewall. My machine is setup to take automatic updates, and my virus and spyware scanners also update every day at 2am. There's really no practical maintenance for me. I know that must disappoint some people. But them's the facts.

[Bush2000]

Sorry again. I didn't mean to imply that absolutely nothing was required after buying the 'puter - only that an almost hassle-free secure computing environment exists today.

Again, what's the downside to using IE for me? I don't need to maintain it. I don't have any spyware on my box at all. It can't get any easier.

[Bush2000]

Good to hear you say. I think the same will be true for security eventually. It may be the major software vendors or it may be with extending the security fence by ISPs or some combination. But I don't think the current security cost/vulnerability situation will continue indefinitely.

According to the press reports, Longhorn will have a big emphasis on security: restricted accounts by default, sandboxed IE, etc. Should be interesting...

[Bush2000]

I fail to see the downside of using Firefox right now...If you are stating that it will be as insecure as the product that most users are using right now (IE), that does little to champion IE usage.

Firefox already is as bad as IE. You simply don't know it.

[D-fendr]

Again, what's the downside to using IE for me? I don't need to maintain it. I don't have any spyware on my box at all. It can't get any easier.

It's more the Windows overhead that could be little easier anyway: no antivirus or spysweepers to buy, install or manage, or worry about conflicts, or setting up a secure Windows install, and then those occassions where you have to reinstall..

But, I think you probably have your stuff pretty tight and down to an efficient maintenance schedule. It's more the average Joe, Jane or Grandma Sue user who sucks wind on security.

Then there's the business user - usually an exec or laptop user - who seems to find a way to get infected every month or two. There's quite a bit of overhead in corp technology spent on keeping it as productive as it is, still stuff gets through and even if it doesn't that's money that could be spent on better things..

[D-fendr]

restricted accounts by default

I don't get why this wasn't the way before. Why not turn on vulnerabilities instead of having to know all the doors to close?

sandboxed IE

Help me out a bit on this one. My (quite limited) understanding is that IE is the GUI or a required dll for the GUI, and that this one of the main reasons IE exploits have such damaging capability.

Anywhere near correct?

[frogjerk]

Firefox already is as bad as IE. You simply don't know it.

Prove it.

[Bush2000]

The recent vulnerability rate is just as bad as IE's.

[Bush2000]

It's more the Windows overhead that could be little easier anyway: no antivirus or spysweepers to buy, install or manage, or worry about conflicts, or setting up a secure Windows install, and then those occassions where you have to reinstall..

I didn't pay for any of this software. It's all free. Similarly, I installed it once. No maintenance involved. It updates and runs in the middle of the night, when I'm not using the machine. So where's the downside for me?

But, I think you probably have your stuff pretty tight and down to an efficient maintenance schedule. It's more the average Joe, Jane or Grandma Sue user who sucks wind on security.

The average Joe should check out the Microsoft Anti-Spyware Beta, SpyBot Search & Destroy, and LavaSoft Ad-Aware SE Personal Edition. All free. The MS tool is completely automated.

Then there's the business user - usually an exec or laptop user - who seems to find a way to get infected every month or two. There's quite a bit of overhead in corp technology spent on keeping it as productive as it is, still stuff gets through and even if it doesn't that's money that could be spent on better things..

There's literally no distinction between these sets of users, given the sophistication of the available tools.

[Bush2000]

I don't get why this wasn't the way before. Why not turn on vulnerabilities instead of having to know all the doors to close?

Well, actually, Windows does support restricted accounts already. The difference is that MS will actually enforce the use of restricted accounts for users with OEMs.

Help me out a bit on this one. My (quite limited) understanding is that IE is the GUI or a required dll for the GUI, and that this one of the main reasons IE exploits have such damaging capability. Anywhere near correct?

IE is just an application. Sure, it's integrated into the OS. But the fact of the matter is that it's essentially just an app. From what the press reports say, MS will make IE run with reduced privileges, even if you happen to be logged in as Administrator (aka root). So, even if exploits occur, buffer overflows, hijacking the registry, and other kinds of attacks will not work due to restricted privileges.

[monkapotamus]

Firefox 1.0.4 is available at www.mozilla.org if you all haven't gotten it yet.

I just downloaded Firefox yesterday to update an infrequently used laptop (and it was 1.0.3 at the time) so this must have gone up recently.