| Serious Firefox, Mozilla vulnerabilities surface |
May 09, 2005
Recently discovered "zero-day" exploit code that takes advantage of two vulnerabilities could mean serious trouble for Mozilla Firefox 1.0.3 users, and, to a lesser extent, Mozilla Suite users. Yesterday, Mozilla.org issued an advisory explaining the vulnerabilities and what measures to take to work around them.
In Mozilla Foundation Security Advisory 2005-42, Mozilla.org explains that the exploit could make use of javascript: url code to navigate back to a previously visited page -- an online store order form with credit card information, an online banking account management page, etc. -- to steal cookies, data, or even to "perform actions on behalf of the user." This exploit affects both Mozilla Firefox 1.0.3 and Mozilla Suite.
Additionally, another javascript: url exploit takes advantage of Mozilla Firefox 1.0.3's install dialogue, tricking Firefox into believing a malicious site is a whitelisted site, and giving an attacker the ability to install software.
According to Whitedust Security Portal, the exploit code can be adapted to threaten Mac OS and Linux OS users.
In its advisory, Mozilla.org recommends the following actions until an update is released:- Mozilla Firefox 1.0.3 and Mozilla Suite users should disable javascript
- Mozilla Firefox 1.0.3 should remove all "Allowed sites" under the "Allow web sites to install software" option.
To learn more, please read Ryan Naraine's article on DesktopLinux.com sister site, eWEEK.com:
Zero-Day Firefox Exploit Sends Mozilla Scrambling
Related Stories:
(Click here for further information)
|
|
|
|
|
|
|
|
