trubador
05-09-2005, 01:52 PM
Extremely critical Firefox flaws
Proving that its not just IE that holds the monopoly in serious security problems, two new vulnerabilities in Mozilla's Firefox Web browser have been rated "extremely critical." Seemingly, the vulnerabilities have the potential to allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site.
Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions or themes, from Web sites.
The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.
It appears that it is possible to trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org. Changes have been made to the Mozilla update site to try to minimise any potential for damage, however the problem will not be fixed properly until we are given Firefox 1.0.4.
link (http://www.techspot.com/story17559.html)
Proving that its not just IE that holds the monopoly in serious security problems, two new vulnerabilities in Mozilla's Firefox Web browser have been rated "extremely critical." Seemingly, the vulnerabilities have the potential to allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site.
Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions or themes, from Web sites.
The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.
It appears that it is possible to trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org. Changes have been made to the Mozilla update site to try to minimise any potential for damage, however the problem will not be fixed properly until we are given Firefox 1.0.4.
link (http://www.techspot.com/story17559.html)