Malcode writers could exploit two serious security holes in Firefox to launch sinister code and conduct cross-site scripting attacks, security experts warned Monday. Exploit code is in the wild and there are no patches. But there are workarounds.
Danish security firm Secunia labeled the vulnerabilities "extremely critical" in an advisory posted over the weekend. Asked why the flaws received its highest risk rating, Secunia CTO Thomas Kristensen said by e-mail, "Primarily the fact that exploit code was published before a patch was released. The exploit [makes] it possible to compromise the user's system."
The problems are that:
- IFRAME JavaScript URLs are not properly protected from being executed in context of another URL in the history list. Attackers can exploit this "to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site," the advisory said.
- Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges using a specially crafted JavaScript URL.
When combined the vulnerabilities could be exploited to launch malicious code, Secunia said. The company confirmed the flaws in Firefox 1.0.3 and said other versions could be affected.
"Remote code execution in a browser, especially without the user's
Requires Free Membership to View
Register today to access targeted resources from our editorial writers and independent industry experts focused on Lotus Domino, Notes, Workplace and other related technologies.
interaction is very dangerous, as any misspelling in a URL, any result from a search engine or any hacked server can infect people with all sorts of malware," Swa Frantzen, a handler for the Bethesda, Md.-based SANS Internet Storm Center, said by e-mail. "As to what can happen, all bets are basically off as remote code execution can install just about anything depending on the permissions the user running the browser has."
The Mozilla Foundation is working on a patch, Kristensen said. For now, there are two workarounds: disable JavaScript or disable the "Allow Web sites to install software" option.
Of the second option, Kristensen said, "[Mozilla has] made a temporary fix by changing the behavior of the default software installation sites… the exploit requires a working site to be listed in the 'Allow Web sites to install software' option."
He added: "This change effectively breaks the exploit. However, if a user has added another site to the "Allow Web sites to install software" option and the attacker knows the URL then the exploit is still working."
The Internet Storm Center is recommending users take the second option.
"The first workaround… stops all JavaScript," Frantzen said. "This will give [users] a bad experience on many Web sites as most Web masters don't cater to visitors with disabled JavaScript. "Disabling JavaScript is much more secure, but keeping it that way is nearly impossible except for very security-minded people. Compare it to taking care of an infected toe by amputating the leg."
The second is more selective and 99% of Web sites should continue to work as before, he said. It's not as broad a workaround as disabling JavaScript but it's a more manageable workaround until a patch arrives. Frantzen said: "Compare it to using pain killers for that same infection till a better solution can be implemented."
This article originally appeared on SearchSecurity.com.