Mozilla Firefox Increasingly Vulnerable
 |
James Joyner | Monday, May 9, 2005 |
Secunia Finds New Firefox Security Exploits (GeekCoffee)
Firefox seems to be running into more and more security vulnerabilities as the Mozilla Foundation’s browser becomes a serious contender to Microsoft’s Internet Explorer. Security research company Secunia found two new vulnerabilities that can be exploited to conduct cross-site scripting attacks to compromise a user’s system.
The Mozilla Foundation stated that it is aggressively working to provide a better solution to security vulnerabilities as well as a more convenient way to publish updates to users. A temporary fix to the current vulnerabilities is to disable JavaScript.
According to Secunia, the problem is that “IFRAME” JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an arbitrary site. Input passed to the “IconURL” parameter in “InstallTrigger.install” is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Firefox âsupportsâ security holes (IT-Observer)
Two extremely critical security vulnerabilities in FireFox, the ultimate alternative to Internet Explorer, were discovered by security researchers. The security breaches affect all versions, including the latest release, and allow an attacker to take control of the system.
[...]
The flaws were confidentially reported to Mozilla Foundation a week ago, but details had been leaked and the vulnerabilities were reported by several security research firms. The Danish security firm Secunia, reported that an exploit is already traveling around the Net.
Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have altered the whitelist. “We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk,” said Mozilla Foundation.
Though security holes were previously discovered in FireFox, this is the first time that a security firm gives the âextremely criticalâ rating to a FireFox flaw. FireFox definitely can be proud in 50 millions downloads, but who really takes care about the popularity when it comes to security breaches that risk our computers…?
This doesn’t surprise me. While Firefox quickly became my preferred browser after some initial skepticism, it has always seemed obvious to me that the main reason Microsoft’s Internet Explorer was so vulnerable was that its ubiquity made it the natural target of hackers.
Related:
-
Changing Software
Firefox Redux
Firefox 0.9 Available
Next Target: Mozilla?
Mozilla Gains on IE
Firefox Drawing Fans away from Microsoft IE
Firefox 1.0 Sucks
Firefox Growth, Market Share Slow
About the Author: James Joyner is the publisher of Outside the Beltway and the managing editor of the Atlantic Council. He's a former Army officer, Desert Storm vet, and college professor with a PhD in political science from The University of Alabama. He lives just outside the Beltway in Alexandria, Virginia with his wife and infant daughter.
Follow James on FriendFeed | Twitter | Digg
- None Found
- National Debt Hysteria?
- Educating Illegal Immigrants
- Caption Contest
- Nathalie Blanchard Facebook Smile Leaves Her Depressed
- Glenn Beck, Community Organizer
- OTB Latenight – Cherry Poppin’ Daddies
- Hacked Climate Scientists Emails Reveal Truth
- Obama, the Recession, and Polls
- Giuliani Running for Senate, Not Governor
- OTB Latenight – The Jesus & Mary Chain
- JackLewis.net linked with Around the Blogosphere
- Signifying Nothing linked with Firefox 1.0.4 release candidates out
...it has always seemed obvious to me that the main reason Microsoft's Internet Explorer was so vulnerable was that its ubiquity made it the natural target of hackers.
But ... but ... that would mean the reason Mac users don't have to worry about these types of things is because there are so dang few of them, not because it's a better OS.
And that would be blasphemy!
Heh. In the comments on your "Firefox 1.0 Sucks" post, I wrote:
Iâve actually found 1.0PR more stable than previous versions.
In retrospect, a whole host of troubles that led last month to me ripping Firefox out by the roots and reinstalling it clean, seem to stem from when I upgraded to 1.0PR.
When 2.0PR comes out, I'll wait for the final release.
that would mean the reason Mac users donât have to worry about these types of things is because there are so dang few of them, not because itâs a better OS.
I don't mind such blasphemy. It means we get to use a better OS AND we don't have to worry about these dang things. ;-)
Firefox has its quirks, just like all the other browsers. Many blogs I read do not render properly in Firefox. Its updates require uninstalling old versions, rebooting and installing the new version from a different folder. I have yet to get some of its extensions to install (I realize those are 3rd party and it's not necessarily Mozilla's fault.). In short, it's a pain in the butt to work with, so I quit trying and use Maxthon. Netscape has a new version in beta, so I'll try it when it's finished.
Actually, Oz, the uninstall/reinstall-in-a-different-folder thing seems to have gone out the window with the final release of 1.0. What version did you use last? Some things have changed besides the upgrade regime.
When Firefox started melting down on me last month I used Maxthon for a while, but it just didn't do it for me.
Oh, and Bryan? ;-P
Comments are Closed
