'Extremely Critical' Bugs Found In Firefox

stealth_thunder · May 10, 2005

By Gregg Keizer
TechWeb News

A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday.
Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites.

The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.

According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.

"Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit," the Foundation announced on its security site Sunday. Specifically, Mozilla re-pointed the two update sites to a new URL, and instructed users not to add that new site to their list of Allowed Sites. The change, however, only defends against the current proof-of-concept that's circulating, not the vulnerabilities themselves.

While that reduced the risk of an immediate attack, Mozilla doesn't have control over the numerous sites that users might have added to their Allow, or whitelist, list. Popular plug-ins, called "extensions" by Firefox, could also be the root of attacks, since users must give an extension site installation permission. To close all possible doors, Mozilla recommended that users either disable JavaScript or turn off installation from Web sites. To disable Web site software installs, users can select Tools/Options/Preferences in Firefox 1.0.3, the current edition. Users can still install extensions or user interface themes manually by first downloading the file, then running them from Firefox's File menu.

A security update -- which will be dubbed Firefox 1.0.4 -- will be issued as soon as possible. "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the organization's security alert continued.

While the leaked information included proof-of-concept code that demonstrated how a malicious site could run code of the attacker's choice and install it on machines using Firefox, Mozilla discounted the risk. "There are currently no known active exploits of these vulnerabilities," it said Sunday. The release of Firefox 1.0.4 would be the fourth security update to the browser since the beginning of the year. Others appeared in late February, late March, and mid-April. In that time, Microsoft has released two patches for its Internet Explorer browser.

Website :

Code:

http://informationweek.com/story/showArticle.jhtml?articleID=163100338

Does this tell us that Mozilla Firefox is not a safe browser ???

My personal views, its kinda good to have a browser like firefox but too many aspects like javascripts features not yet fully protected and microsoft continue to promote their Internet explorer and continueously trying to make Mozilla Development team to go bonkers on repairing what microsoft have found.

What will happen if firefox do not fixed the bug???
Will microsoft continue to push Mozilla team to reach their limits and then make them stop developing firefox ???

Richard · May 10, 2005

What will happen if firefox do not fixed the bug???
Will microsoft continue to push Mozilla team to reach their limits and then make them stop developing firefox ???

That will never happen. Think Microsoft are using that to take the spot light of them a bit. In fact if Microsoft don't do something radical in the next 5 - 10 years it will become a shadow of its former self.

Going back to Firefox, no one said it was perfect. However its still safer and more standards Compliant then IE

stealth_thunder · May 11, 2005

Microsoft been posting all the bugs on firefox, why isn't firefox people get back on them too.....

Mostly see that Mozilla only improve and fixed up firefox not a single news found that firefox would go against Microsoft....

May be Bill Gates too powerful.... that's my view

Richard · May 11, 2005

stealth_thunder said:
Microsoft been posting all the bugs on firefox, why isn't firefox people get back on them too.....

Mostly see that Mozilla only improve and fixed up firefox not a single news found that firefox would go against Microsoft....

May be Bill Gates too powerful.... that's my view

The Mozilla group would never step down such levels. Microsoft has never really had much competition against the likes of Netscape but now there is a whole new wave that Microsoft is fighting.. Firefox is just the begining.

Microsoft will have to adapt in time and they have already begun testing the waters since they have 3 projects on SourceForge. Time will tell what the future holds.

stealth_thunder · May 11, 2005

Re: 'Extremely Critical' Bugs Found In Firefox Follow up

Latest Report I found out

Firefox undercut by security flaws

The Web browser seen by some PC users as the underdog that would upset Microsoft's Internet Explorer may have run into a snag.

Two snags, actually.

Mozilla Foundation's Firefox has reported two security flaws. Together, they could be used by hackers to gain access to the computers of Firefox users.

Once inside, hackers would have the full privileges of the user - meaning they could install programs and delete files.

Mozilla is scrambling to patch the holes. ``We have a fix in hand,'' said Chris Hofmann, Mozilla's engineering director.

The fix is being tested, Hofmann said. In the meantime, Mozilla is urging Firefox users to either disable the browser's ``JavaScript'' or ``Whitelist'' features.

None of Firefox's 52 million users have reported problems from the security flaws. The vulnerabilities might have gone unnoticed by the public, according to Jeffrey Schiller, the Massachusetts Institute of Technology's network manager and security architect.

Typically, research groups hack into systems to uncover security flaws and notify the provider of problems. The company is then given time to make repairs.

But in Mozilla's case, the lid was blown when e-mails between two researchers were misdirected. ``They effectively published the recipe on how to take advantage of (Firefox's flaws),'' Hofmann said.

The leak caused a flurry of activity as Mozilla updated its system and warned users. The incident may be a black eye for the fledgling browser, which prides itself on being more secure than Internet Explorer.

``There are going to be security vulnerabilities that surface,'' Hofmann admitted. ``But we believe Firefox is built on a strong architecture.''

website taken :

Code:

http://business.bostonherald.com/technologyNews/view.bg?articleid=82592

My personal views, no one knows the bug exist at all then why Microsoft just whispered to their competitors and tell them you have two critical bug rather than exposing over the Tech News saying about Microsoft themselves found 'Extremely Critical Bugs. What a low level way of treating ur opponent which has no idea what microsoft is trying to express to them.... " Get lost... leave this internet world, stop your nonsense on creating your personal browser. U would never be able to survive unless I die "

Are the trying to express that only microsoft themselves knows

Richard · May 11, 2005

Think about it.

This type of malicious code needs a website to hold it right? So malicious code on a website would make that website malicious. Which leaves the question “What are you doing at that site in the first place?”

This whole thing is blown out of proportion. I think.

izmaelis · May 11, 2005

Ok. There were several bugs found in FireFox few days ago so why I can't find any patches or updates to correct them. I use FireFox every day but I can't see any green/red button in the upper right corner.

Richard · May 11, 2005

Thats because Firefox 1.0.4 has not been released yet.

None of Firefox's 52 million users have reported problems from the security flaws.

I don't think there is too much to worry about :happy:

n4tec · May 11, 2005

I use Firefox!!! I am having no problem with it except I can see any red button in the upper right corner!!! What should i do?

*4*

Richard · May 11, 2005

Double click on it. Its will search for updates for you.

stealth_thunder · May 11, 2005

well they have said firefox is now doing intensive checking and fixing up, the only thing we can do now is to wait for their latest build.

I already hear about a nighty build version 1.4 releasing out there for expert not within mozilla development to test run them.So I would be happy if this could be done faster coz you know microsoft would do another world news on tech talks and bad things about mozilla to stress them again when they should have read the report I put up earlier that 52 million firefox user has no problem or never discover anything serious about the javascripts / activex control applications.

So we wait will keep updated with the progress at the news tech

Foggy · May 11, 2005

It has not yet been posted on the firefox site, but here is version 1.0.4 directly from the mozilla FTP, so no need to worry.

http://ftp.mozilla.org/pub/mozilla....1.0.1/firefox-1.0.4.en-US.win32.installer.exe

Enjoy,
Foggysmoke

izmaelis · May 12, 2005

Here goes new updated and pached version of Mozilla FireFox browser (1.0.4). Just few days of waiting isn't so bad. :blushing:

n4tec · May 12, 2005

Richard said:
Double click on it. Its will search for updates for you.

It search and found that i needed the lastest version of firefox... I updated a few hours ago... let me wait and see what happens...

thanx for that quick responce..

*4*

Richard · May 15, 2005

In light of recent events with Firefox it seems Microsoft is having its own problems.

Slashdot said:
An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."

'Extremely Critical' Bugs Found In Firefox

stealth_thunder

New Member

Richard

Active Member

stealth_thunder

New Member

Richard

Active Member

stealth_thunder

New Member

Richard

Active Member

izmaelis

Member

Richard

Active Member

n4tec

Active Member

Richard

Active Member

stealth_thunder

New Member

Foggy

New Member

izmaelis

Member

n4tec

Active Member

Richard

Active Member

Free Web Hosting

Our Community

Legal