Another day, another Firefox security fix

Keywords: Match:

Nov. 27, 2007

Once upon a time, Firefox was known for being far less prone to security bugs than Internet Explorer. Things have changed. On Nov. 27, Mozilla released the newest, security-patched version of the popular Web browser, Firefox 2.0.0.10.

The vast majority of Firefox users will have the latest and greatest automatically installed on their systems. This latest update includes fixes for three security bugs.

Perhaps the most important of these fixes is one that prevents an XSS (Cross-Site Scripting) attack. This particular XSS fix prevents the "jar: URI" hazard, which is a mechanism that had been designed to support digitally signed Web pages. This in turn enabled Web administrators to set up sites that could load pages that had been packaged in .zip archives containing signatures in Java archive format.

The problem was that Firefox couldn't identify the true source of the jar: content. Here's how it might work in practice. Many Web 2.0 applications allow the upload of jar/.zip files. For example, Web mail clients, collaboration systems and document sharing systems all allow such uploads. You see such popular document formats as OpenWriter's .odt (OpenDocument Text) and Microsoft Office 2007 Open XML use the .zip format to space.

You're probably beginning to see where this goes. All an attacker need do is create a document in one of those formats, change its extension to .zip and, ta-da, instant Trojan horse. The attacker can then change the extension of the .zip file to an innocent-looking .odt or .doc. When the file is next opened, it can present an unsuspecting user with a malicious page with a client- or server-side that will evade most security filters.

In short, it's a nasty flaw. It's also been around for nine months. Fortunately, while proof-of-concept programs exist, the flaw does not appear to have been exploited on the Web.

Firefox 2.0.0.10 also contains stability fixes for three bugs. When Firefox crashed because of any of these bugs, the crashes sometimes left corrupted memory behind. If a cracker could find a way to predictably make Firefox crash due to one of these flaws, he could conceivably exploit the corrupt memory to run his own attack code on your system.

Last, but not least, CSRFs are potentially every bit as dangerous. Many major sites are exploitable by CSRF attacks. In real life, a CSRF attack could be used to send fake instructions to a Web site you trust. So, for example, when you click on a site to pay a bill, the attack might use this opportunity to tell your banking site that you want to pay your attacker instead.

That would be a silly attack, since it would be easy to trace, but the potential for serious abuse is clearly there. With this new fix, however, Firefox will no longer be vulnerable to CSRF shenanigans.

-- Steven J. Vaughan-Nichols

Do you have comments on this story?

Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!

Related Stories:

(Click here for further information)

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.