Cross-site Scripting Extremely Critical Vulnerability
- MorPob
- Posts: 36
- Joined: October 5th, 2004, 7:39 pm
- Location: Canada
Cross-site Scripting Extremely Critical Vulnerability
Secunia has just reported a vulenerability with Fx that they rate as "Extremely Critical".
I couldn't find a bug filed in bugzilla for this. Is there one?
<a href="http://secunia.com/advisories/15292/"><b>Mozilla Firefox Two Vulnerabilities</b></a>
<b>Release Date:</b> 2005-05-08
<b>Secunia Advisory ID:</b> <a href="http://secunia.com/advisories/15292/">SA15292</a>
<b>Solution Status:</b> Unpatched
<b>Criticality:</b> Extremely Critical
<b>Impact:</b> Cross Site Scripting, System access
<b>Where:</b> From remote
<b>Short Description:</b>
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
<b>Long Description:</b>
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
<b>To protect yourself against this vulenarbility until there is a patch:</b>
Tools > Options > Web Features > uncheck "Allow web sites to install software"
<b>More information:</b>
Firefox Remote Compromise Technical Details - greyhatsecurity.org
http://greyhatsecurity.org/firefox.htm
Secunia - Advisories - Mozilla Firefox Two Vulnerabilities
http://secunia.com/advisories/15292/
FrSIRT Advisories - Mozilla Firefox "Extensions" Remote Code Execution Vulnerability / Exploit
http://www.frsirt.com/english/advisories/2005/0493
WhiteDust Security / Mozilla News / New Mozilla Firefox 1.0.3 Exploit
http://www.whitedust.net/newsview.php?NewsID=450
I couldn't find a bug filed in bugzilla for this. Is there one?
<a href="http://secunia.com/advisories/15292/"><b>Mozilla Firefox Two Vulnerabilities</b></a>
<b>Release Date:</b> 2005-05-08
<b>Secunia Advisory ID:</b> <a href="http://secunia.com/advisories/15292/">SA15292</a>
<b>Solution Status:</b> Unpatched
<b>Criticality:</b> Extremely Critical
<b>Impact:</b> Cross Site Scripting, System access
<b>Where:</b> From remote
<b>Short Description:</b>
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
<b>Long Description:</b>
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
<b>To protect yourself against this vulenarbility until there is a patch:</b>
Tools > Options > Web Features > uncheck "Allow web sites to install software"
<b>More information:</b>
Firefox Remote Compromise Technical Details - greyhatsecurity.org
http://greyhatsecurity.org/firefox.htm
Secunia - Advisories - Mozilla Firefox Two Vulnerabilities
http://secunia.com/advisories/15292/
FrSIRT Advisories - Mozilla Firefox "Extensions" Remote Code Execution Vulnerability / Exploit
http://www.frsirt.com/english/advisories/2005/0493
WhiteDust Security / Mozilla News / New Mozilla Firefox 1.0.3 Exploit
http://www.whitedust.net/newsview.php?NewsID=450
Last edited by MorPob on May 8th, 2005, 3:52 pm, edited 3 times in total.
-
- Posts: 87
- Joined: May 3rd, 2005, 3:17 pm
- Contact:
- MorPob
- Posts: 36
- Joined: October 5th, 2004, 7:39 pm
- Location: Canada
I agree Blind Wolf. It would be nice to knock off those other bugs as well to give us a perfect "Solution Status" pie.
http://secunia.com/product/4227/#statistics_solution
http://secunia.com/product/4227/#statistics_solution
-
- Posts: 87
- Joined: May 3rd, 2005, 3:17 pm
- Contact:
-
- Posts: 24
- Joined: July 14th, 2004, 7:19 am
frsirt.com wrote:* Solution *
- Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].
The Allow web sites to install software option should be disabled anyway by default, and enabled when specifically installing extensions, and switched off immediately after.
Just hope people use the same procedure.
-
- Posts: 87
- Joined: May 3rd, 2005, 3:17 pm
- Contact:
-
- Posts: 87
- Joined: May 3rd, 2005, 3:17 pm
- Contact:
- MorPob
- Posts: 36
- Joined: October 5th, 2004, 7:39 pm
- Location: Canada
I don't want to downplay the importance of fixing this bug but...this vulnerability IMHO is no longer an "extremely critical" since it can no longer be exploited in the default configuration of Fx. The Fx team has taken steps to mitigate the problem at (the default sites) update.mozilla.org and addons.mozilla.org.
-
- Posts: 3826
- Joined: November 14th, 2004, 4:41 am
- Location: Alberta, Canada
- Contact:
uuhhh I just made a new profiles and its enabled by default morpob
I'm moving to Theory, everything works there.
Most issues are solved by going through the Standard Diagnostic
Most issues are solved by going through the Standard Diagnostic
-
- Posts: 87
- Joined: May 3rd, 2005, 3:17 pm
- Contact:
- MorPob
- Posts: 36
- Joined: October 5th, 2004, 7:39 pm
- Location: Canada
BlindWolf8 wrote:What have they done there to "fix" this bug?
From the bugzilla comments:
It only works for 1) sites on your whitelist that 2) <b>have an install function
that is callable</b>. In our case, morgamic basically made the install() function
be randomly named.
Thus code on a nefarious web page can not call the local Fx install() function any longer because it does not know what it is named.
Update: The above fix still had issues so the Moz Team moved update to an untrusted domain. Just go out to grab more extensions either through Fx's "Get More Extensions" or https://addons.mozilla.org and you will see.
-
- Posts: 33
- Joined: November 13th, 2004, 5:37 pm
- Location: Behind a glowing thing i like to call a monitor
- Contact:
- MorPob
- Posts: 36
- Joined: October 5th, 2004, 7:39 pm
- Location: Canada
Da Dude wrote:BlindWolf8 wrote:By the way, when are we going to see those other 3 very low risk bugs fixed? 1.1? That red slice looks very big compared to Opera's, hehe.
if i'm not mistaken these are fixed in the trunks
Unfortunely they were not addressed in 1.0.4
I took at secunia and found the IE has a vulnerability that is rated as Highly Critical that is more than a year old.