-
New Security Vulnerabilities
- MFSA 2005-42: Code execution via javascript: IconURL
- Mozilla "IFRAME" JavaScript URL Cross-Site Scripting
- Mozilla Firefox Two Vulnerabilities
- Mozilla Arbitrary Code Execution Security Flaw
Date: 05/09/05 (Mozilla) Keywords: software, java, security
As I posted in !['[info]']('http://stat.livejournal.com/img/community.gif')
firefoxusers, new security vulnerabilities have been discovered in Mozilla-based products. The first is a cross-site scripting vulnerability which allows sites to execute code in the context of another site. The second, which only affects Firefox, allows arbitrary code execution through the software installation mechanism. Normally this would only be exploitable from sites that are allowed to install extensions (i.e. sites on your whitelist, which by default is only Mozilla Update), but when the two vulnerabilities are used together any site could trigger the execution of arbitrary code.
Patches (updated versions) are not yet available (but are expected soon), as these flaws were prematurely disclosed to the public. For now, the best temporary solution is to disable both JavaScript and Software Installation. See my original post in firefoxusers for more details. Also see these advisories:
Source: http://www.livejournal.com/community/mozilla/281543.html
| « Firefox Media Spots... | || | arrgh » |