Firefox Problems

FYI

Firefox exploit targets zero day vulns
By John Leyden
Published Monday 9th May 2005 11:38 GMT

Security researchers have discovered two unpatched vulnerabilities in
Firefox, the popular alternative web browser. The security bugs affect
even the latest version of Firefox (version 1.0.3) and create a means
for attackers to seize control of vulnerable systems using cross-site
scripting attacks.

One vulnerability enables arbitrary JavaScript code with escalated
privileges to be executed via a specially crafted JavaScript URL.
Successful exploitation requires that a site is allowed to install
software (default sites are “update.mozilla.org” and
addons.mozilla.org”). This would normally drastically reduce the scope
for mischief - but for a second security bug, involving “IFRAME”
JavaScript URLs, which creates a means to execute arbitrary HTML and
script code in the context of an arbitrary site.

A combination of the two vulnerabilities can be exploited to execute
arbitrary code on vulnerable systems, according to Danish security firm
Secunia. Exploit code is publicly available greatly increasing the
chance of attack, it warns. The vulnerabilities - described by Secunia
as “extremely critical” - have been confirmed in version 1.0.3 of
Firefox. Other versions may also be affected.

Users are advised to disable JavaScript and the software installation
option within Firefox pending a more comprehensive fix from the Mozilla
Foundation. R

Thanks for the heads up Rupert. Can you try to keep us updated on the security patches? Thanks.

HOW TO DISABLE THESE FEATURES:

In Firefox:

Tools>Options

Web Features Tab (left hand side)

Uncheck “Enable Javascript” and “Allow websites to install software”

Click “OK”

And just when you started to really love this browser!

Mine doesn’t have “Allow websites to install software” :confused: