Mozilla Firefox Increasingly Vulnerable

Secunia Finds New Firefox Security Exploits (GeekCoffee)

Firefox seems to be running into more and more security vulnerabilities as the Mozilla Foundation’s browser becomes a serious contender to Microsoft’s Internet Explorer. Security research company Secunia found two new vulnerabilities that can be exploited to conduct cross-site scripting attacks to compromise a user’s system.

The Mozilla Foundation stated that it is aggressively working to provide a better solution to security vulnerabilities as well as a more convenient way to publish updates to users. A temporary fix to the current vulnerabilities is to disable JavaScript.

According to Secunia, the problem is that “IFRAME” JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an arbitrary site. Input passed to the “IconURL” parameter in “InstallTrigger.install” is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Firefox ‘supports’ security holes (IT-Observer)

Two extremely critical security vulnerabilities in FireFox, the ultimate alternative to Internet Explorer, were discovered by security researchers. The security breaches affect all versions, including the latest release, and allow an attacker to take control of the system.

[…]

The flaws were confidentially reported to Mozilla Foundation a week ago, but details had been leaked and the vulnerabilities were reported by several security research firms. The Danish security firm Secunia, reported that an exploit is already traveling around the Net.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have altered the whitelist. “We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk,” said Mozilla Foundation.

Though security holes were previously discovered in FireFox, this is the first time that a security firm gives the “extremely critical” rating to a FireFox flaw. FireFox definitely can be proud in 50 millions downloads, but who really takes care about the popularity when it comes to security breaches that risk our computers…?

This doesn’t surprise me. While Firefox quickly became my preferred browser after some initial skepticism, it has always seemed obvious to me that the main reason Microsoft’s Internet Explorer was so vulnerable was that its ubiquity made it the natural target of hackers.

Related:

FILED UNDER: General
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. McGehee says:

    …it has always seemed obvious to me that the main reason Microsoft’s Internet Explorer was so vulnerable was that its ubiquity made it the natural target of hackers.

    But … but … that would mean the reason Mac users don’t have to worry about these types of things is because there are so dang few of them, not because it’s a better OS.

    And that would be blasphemy!

  2. McGehee says:

    Heh. In the comments on your “Firefox 1.0 Sucks” post, I wrote:

    I’ve actually found 1.0PR more stable than previous versions.

    In retrospect, a whole host of troubles that led last month to me ripping Firefox out by the roots and reinstalling it clean, seem to stem from when I upgraded to 1.0PR.

    When 2.0PR comes out, I’ll wait for the final release.

  3. bryan says:

    that would mean the reason Mac users don’t have to worry about these types of things is because there are so dang few of them, not because it’s a better OS.

    I don’t mind such blasphemy. It means we get to use a better OS AND we don’t have to worry about these dang things. 😉

  4. ozzippit says:

    Firefox has its quirks, just like all the other browsers. Many blogs I read do not render properly in Firefox. Its updates require uninstalling old versions, rebooting and installing the new version from a different folder. I have yet to get some of its extensions to install (I realize those are 3rd party and it’s not necessarily Mozilla’s fault.). In short, it’s a pain in the butt to work with, so I quit trying and use Maxthon. Netscape has a new version in beta, so I’ll try it when it’s finished.

  5. McGehee says:

    Actually, Oz, the uninstall/reinstall-in-a-different-folder thing seems to have gone out the window with the final release of 1.0. What version did you use last? Some things have changed besides the upgrade regime.

    When Firefox started melting down on me last month I used Maxthon for a while, but it just didn’t do it for me.

    Oh, and Bryan? ;-P

  6. Around the Blogosphere
    No to Judges outside the Liberal Plantation Powerline, Captain’s Quarters Ann Coulter and the Intolerance of Academe Powerline, Volokh Conspiracy…

  7. Firefox 1.0.4 release candidates out
    If you run Mozilla Firefox, you probably want to upgrade to a 1.0.4 candidate build to fix the arbitrary code execution vulnerability discussed at OTB and elsewhere.