Cross-site Scripting Extremely Critical Vulnerability

[MorPob]

Secunia has just reported a vulenerability with Fx that they rate as "Extremely Critical".

I couldn't find a bug filed in bugzilla for this. Is there one?

<a href="http://secunia.com/advisories/15292/"><b>Mozilla Firefox Two Vulnerabilities</b></a>
<b>Release Date:</b> 2005-05-08
<b>Secunia Advisory ID:</b> <a href="http://secunia.com/advisories/15292/">SA15292</a>
<b>Solution Status:</b> Unpatched
<b>Criticality:</b> Extremely Critical
<b>Impact:</b> Cross Site Scripting, System access
<b>Where:</b> From remote
<b>Short Description:</b>
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
<b>Long Description:</b>
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

<b>To protect yourself against this vulenarbility until there is a patch:</b>
Tools > Options > Web Features > uncheck "Allow web sites to install software"

<b>More information:</b>

Firefox Remote Compromise Technical Details - greyhatsecurity.org
http://greyhatsecurity.org/firefox.htm

Secunia - Advisories - Mozilla Firefox Two Vulnerabilities
http://secunia.com/advisories/15292/

FrSIRT Advisories - Mozilla Firefox "Extensions" Remote Code Execution Vulnerability / Exploit
http://www.frsirt.com/english/advisories/2005/0493

WhiteDust Security / Mozilla News / New Mozilla Firefox 1.0.3 Exploit
http://www.whitedust.net/newsview.php?NewsID=450

[BlindWolf8]

I'm assuming everyone is going to be using Firefox v1.0.4 by this time tomorrow?

By the way, when are we going to see those other 3 very low risk bugs fixed? 1.1? That red slice looks very big compared to Opera's, hehe.

[MorPob]

I agree Blind Wolf. It would be nice to knock off those other bugs as well to give us a perfect "Solution Status" pie.
http://secunia.com/product/4227/#statistics_solution

[BlindWolf8]

btw, MorPob, thanks for the link to FrSIRT. Didn't know about them. They list this risk as remotely AND locally exploitable while Secunia only lists it as remote...which site is correct?

Oh, and for the record, call me "BW".

[Fx3_UK]

* Solution *

- Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].

The Allow web sites to install software option should be disabled anyway by default, and enabled when specifically installing extensions, and switched off immediately after.

Just hope people use the same procedure.

[BlindWolf8]

Please see:
http://forums.mozillazine.org/viewtopic.php?t=262277
and
https://bugzilla.mozilla.org/show_bug.cgi?id=293302

[BlindWolf8]

* Solution *
...
The Allow web sites to install software option should be disabled anyway by default...

should be are the key words here. It's not, according to the other thread listed above.

[MorPob]

I don't want to downplay the importance of fixing this bug but...this vulnerability IMHO is no longer an "extremely critical" since it can no longer be exploited in the default configuration of Fx. The Fx team has taken steps to mitigate the problem at (the default sites) update.mozilla.org and addons.mozilla.org.

[JaredM]

uuhhh I just made a new profiles and its enabled by default morpob

[BlindWolf8]

What have they done there to "fix" this bug?

[MorPob]

What have they done there to "fix" this bug?

From the bugzilla comments:
It only works for 1) sites on your whitelist that 2) <b>have an install function
that is callable</b>. In our case, morgamic basically made the install() function
be randomly named.

Thus code on a nefarious web page can not call the local Fx install() function any longer because it does not know what it is named.

Update: The above fix still had issues so the Moz Team moved update to an untrusted domain. Just go out to grab more extensions either through Fx's "Get More Extensions" or https://addons.mozilla.org and you will see.

[Da Dude]

By the way, when are we going to see those other 3 very low risk bugs fixed? 1.1? That red slice looks very big compared to Opera's, hehe.

if i'm not mistaken these are fixed in the trunks

[luntrus]

Have you seen my jar posting here on the forum,

Please react,

luntrus

[SteelyDon]

""should be are the key words here. It's not, according to the other thread listed above.""

To my great surprise, it was NOT disabled by default on mine.

[MorPob]

By the way, when are we going to see those other 3 very low risk bugs fixed? 1.1? That red slice looks very big compared to Opera's, hehe.

if i'm not mistaken these are fixed in the trunks

Unfortunely they were not addressed in 1.0.4

I took at secunia and found the IE has a vulnerability that is rated as Highly Critical that is more than a year old.