Welcome to TheTechBlog.com - Here you'll find the latest Tech News, new gadgets and commentary! This site is moderated by Sam and Chase - Hosts of Tech Check on Fox6, and longtime high tech/computer radio broadcasters.
| Sunday, May 08, 2005 |
| The Tech Blog - Firefox security hole |
Latest Update: Vulnerability fixed. Firefox 1.0.4 now available.
The following entry concerns the previous version of Firefox, 1.0.3:
Big Security Hole in Firefox-click here for the article
It turns out the more secure browser has a pretty significant security hole in it that will allow a website to install and run malicious code on your system when you visit.
Chase
Update:
Tollie here. I'm going to add my thoughts on this security vulnerability - actual a security vulnerability combo.
This is the worst Firefox flaw we've seen yet. Thankfully, Mozilla acted very quick and has already provided a quick patch for the average user, that requires no user action at all, which addresses the more serious of the two. And as a temporary patch for both, disabling javascript is a complete workaround.
Here are the details:
This security vulnerability is actually two - the first is one that allows frames to be used to make javascript look like it is running from any website. This can allow for malicious websites - when visited - to steal username and password info of websites you've recent been to and can still access using the 'back' button.
It also makes the second part of this vulnerability combo more serious. The second part allows malicious websites - when visited - to run code without authorization if Firefox is set to allow websites to install add-on software.
Normally, Firefox uses a "whitelist" of sites that you approve. When you first install Firefox, this list is limited to two default sites under the control of Mozilla. If a site not on the list attempts to install an add-on, Mozilla blocks it entirely. If a site is on the list, Firefox still asks if you want to install the add-on, but it displays a window with an icon and a short description. The vulnerability here is in that window - a malicious add-on can execute code, even if the user decides to cancel the installation.
The vulnerability-combo was one that used the first exploit to fake code as if it were coming from one of the two default sites on the whitelist, so the window would display even if the site wasn't added to the allowed list, and from there the second vulnerability allowed code to be run without user approval. On a technical note: unlike most Internet Explorer vulnerabilities, however, the malicious Mozilla code only runs with the authorization (power) of Mozilla - not the authorization (power) of the complete Windows System.
Further, Mozilla has already taken action that renders this second vulnerability mostly toothless, and there's nothing you need to do. Mozilla simply moved their default add-on sites to a different address, which effectively turns off the 'allow website to install software' option for the majority of Firefox users who haven't added any other sites to the allowed (white) list.
Finally, no known malicious code exists presently. Only demo. code to prove the existance of the vulnerability is available. And, Mozilla is already at work on patches to take care of the two vulnerabilities. They'll be available as Firefox 1.0.4.
And to repeat: Disabling Javascript is a complete workaround for both vulnerabilities. Simply go to Tools - Options - Web Features - and uncheck [ ] Enable Javascript.
PS. I made a quick change to ChaseAndSam.com and fixed a few things so it is now non-javascript friendly. Frankly, I should have done that already.
- tollie |
posted by Chase Thompson @ 7:47 PM   |
|
|
|
|
|
|
The Tech Blog
