Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Firefox Develops Security Holes
Techtree.com ^ | May 09, 2005 | Techtree News Staff

Posted on 05/09/2005 7:00:15 AM PDT by holymoly

Firefox seems to be heading Internet Explorer's way with security research company Secunia stating on its website that two vulnerabilities found in the popular browser can be exploited to conduct cross-site scripting attacks and compromise a user's system.

The Mozilla Foundation is aware of the two potentially critical Firefox security vulnerabilities. They maintain that there are currently no known active exploits of these vulnerabilities though a "proof of concept" has been reported.

Mozilla stated that it is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves by temporarily disabling JavaScript.

According to Secunia the problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

It seems that input passed to the "IconURL" parameter in "InstallTrigger.install" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

A combination of the vulnerabilities can be exploited to execute arbitrary code.

Secunia also claims that the exploit code is publicly available. So far the vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of the vulnerabilities to execute arbitrary code in the default settings of Firefox.


TOPICS: News/Current Events; Technical
KEYWORDS: browser; bug; firefox; flaw; mozilla; security
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-72 next last
Well, there's always...
Opera
1 posted on 05/09/2005 7:00:16 AM PDT by holymoly
[ Post Reply | Private Reply | View Replies]

To: holymoly
They try hard to look for Firefox's death knell and have come up short. Its still better from a security point of view than Internet Explorer. And with an open-source strategy, flaws can be spotted immediately along with a responsive turnaround on fixes. That's something lumbering Microsoft needs to work on.

(Denny Crane: "Sometimes you can only look for answers from God and failing that... and Fox News".)
2 posted on 05/09/2005 7:06:24 AM PDT by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

Opera has a great "magnify" feature that allows you to increase the size of the page, not just text. Unfortunately, Opera crashes too much.


3 posted on 05/09/2005 7:06:30 AM PDT by sittnick (There's no salvation in politics.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

Still, it's 16 vulnerabilites for Firefox vs. 80 vulnerabilities for Internet Explorer...


4 posted on 05/09/2005 7:07:29 AM PDT by frogjerk
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly
Why would the people at FireFox be developing Security Holes?.....I thought Hackers did that..........
5 posted on 05/09/2005 7:10:21 AM PDT by Red Badger (Those whom the gods would destroy, they first make liberal.....................)
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop
Firefox seems to be heading Internet Explorer's way with security research company Secunia stating on its website that two vulnerabilities found in the popular browser can be exploited to conduct cross-site scripting attacks and compromise a user's system.

16 vulnerabilites for Firefox vs. 80 vulnerabilities for IE...Firefox is sure going the way of IE... - sarcasm. Microsoft publishes 8 security fixes at a time!

6 posted on 05/09/2005 7:11:09 AM PDT by frogjerk
[ Post Reply | Private Reply | To 2 | View Replies]

To: frogjerk

80? That was last week.........I'm sure it's more than doubled that by now......


7 posted on 05/09/2005 7:11:28 AM PDT by Red Badger (Those whom the gods would destroy, they first make liberal.....................)
[ Post Reply | Private Reply | To 4 | View Replies]

To: holymoly
I get a kick out of all these people extolling the wonders of Firefox and the Mac browsers. I hear keep seeing this constant refrain of how "safe" these are compared to Microsoft IE. I see this safety claim from people like Walt Mossberg and others who should know better. It's a load of hooey!

The ONLY reason Firefox and the Mac browsers are "safer" is simply because they are not used extensively enough for hackers to bother with them! If and when they come into broader use they will suffer the same security issues as Microsoft IE.

Why should a hacker spend any time hacking only 7 percent of web browsers (Firefox & Mac) when he can spend the same amount of time and hack into 93 percent of everyone's computers?

8 posted on 05/09/2005 7:17:53 AM PDT by Obadiah
[ Post Reply | Private Reply | To 1 | View Replies]

To: Obadiah

Oh yeah? Well my Firefox can kick your IE's butt! LOL

It really is a nice browser with a fuller feature set (not just the tabs.. people go ga-ga over the tabs). The extentions are what make Firefox awesome. Well.. that and the fact that it ain't Microsoft. ;)


9 posted on 05/09/2005 7:33:42 AM PDT by Dubya-M-Dees (The filibuster has become the tool of the sore loser.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: holymoly

"Well, there's always...
Opera"

As I understand it, Opera uses IE's engine, it's got all the vulnerability of IE. Not that it's not a nice browser, but it's no more secure than Firefox and most likely a lot less.


10 posted on 05/09/2005 7:47:49 AM PDT by Shadow Deamon
[ Post Reply | Private Reply | To 1 | View Replies]

To: Egon; Eb Wilson

Firefox security ping


11 posted on 05/09/2005 7:53:06 AM PDT by RhoTheta (US out of the UN, now!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: frogjerk

The numbers you cite are TOTALS of PATCHED and unpatched vulnerabilities discovered so far for browsers of DIFFERING ages.

The Secunia security service lists as UNPATCHED 19 of 80 threats for the several-YEAR-old Internet Explorer 6.x, 5 of 16 for the several-MONTH-old Firefox 1.x, and 0 of 0 for the serveral-WEEK-old Opera 8.x.


12 posted on 05/09/2005 7:55:00 AM PDT by mdefranc
[ Post Reply | Private Reply | To 6 | View Replies]

To: sittnick

I've used Opera for quite a while now and have very few crashes. Have you tried the new Opera 8 that is just out? These old eyes love the magnify feature.


13 posted on 05/09/2005 7:58:47 AM PDT by WatchOutForSnakes
[ Post Reply | Private Reply | To 3 | View Replies]

To: WatchOutForSnakes

I bought 6 at the end of the cycle and they offered me (a paying cutomer) no discount for 7. I would think they would treat their non-adware customers better. I don't want adware, and I am not willing to pay full-freight for an upgrade when the last one crashed too much and was disagreeable with some web pages. I wish them well, but I'm okay with Firfox.


14 posted on 05/09/2005 8:06:47 AM PDT by sittnick (There's no salvation in politics.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Shadow Deamon

"As I understand it, Opera uses IE's engine, it's got all the vulnerability of IE." - Shadow Deamon

That's false. Unlike many "alternative" browsers, Opera has it's own engine. And, for whatever reasons, Opera's current and past versions have consistently had fewer UNPATCHED security problems than IE and Firefox.


15 posted on 05/09/2005 8:07:24 AM PDT by mdefranc
[ Post Reply | Private Reply | To 10 | View Replies]

To: Obadiah

Yes, let's completely ignore the quality of the code and design principles that were involved because we know that all programs inherently equal...

Sounds like the IT version of the post modernist view that all truth systems are ultimately equally valid and invalid.


16 posted on 05/09/2005 8:09:18 AM PDT by ILurkedIRegisteredIPosted
[ Post Reply | Private Reply | To 8 | View Replies]

To: Dubya-M-Dees
Well.. that and the fact that it ain't Microsoft. ;)

Yes, that is clearly a benefit! I am simply bothered that people who know better always report how much "safer" these browsers are. They are not inherently safer, they are safer only because they are simply not in wide enough use - yet.

17 posted on 05/09/2005 8:10:01 AM PDT by Obadiah
[ Post Reply | Private Reply | To 9 | View Replies]

To: Obadiah

"The ONLY reason Firefox and the Mac browsers are "safer" is simply because they are not used extensively enough "

That is a lie, and you guys know it. IE is tied into the complete operating system, no way any other browser has that many vulnerabilities.


18 posted on 05/09/2005 8:11:59 AM PDT by FastCoyote
[ Post Reply | Private Reply | To 8 | View Replies]

To: ILurkedIRegisteredIPosted

you've seen the IE code?


19 posted on 05/09/2005 8:13:52 AM PDT by bobdsmith
[ Post Reply | Private Reply | To 16 | View Replies]

To: mdefranc
IE - Of 80 total vulnerabilites - 14% Extremely Critial, 28% Highly Critical
Firefox - Of 16 total vulnerabilites - 6% Extremely Critial , 13% Highly Critial

The numbers speak for themselves...

20 posted on 05/09/2005 8:14:50 AM PDT by frogjerk
[ Post Reply | Private Reply | To 12 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-72 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson