News Stay informed about the latest enterprise technology news and product updates.

'Extremely critical' Firefox vulnerabilities

Malcode writers could exploit two serious security holes in Firefox to launch sinister code and conduct cross-site scripting attacks. No patch is available, but there are workarounds.

Malcode writers could exploit two serious security holes in Firefox to launch sinister code and conduct cross-site scripting attacks, security experts warned Monday. Exploit code is in the wild and there are no patches. But there are workarounds.

Danish security firm Secunia labeled the vulnerabilities "extremely critical" in an advisory posted over the weekend. Asked why the flaws received its highest risk rating, Secunia CTO Thomas Kristensen said by e-mail, "Primarily the fact that exploit code was published before a patch was released. The exploit [makes] it possible to compromise the user's system."

The problems are that:

  • IFRAME JavaScript URLs are not properly protected from being executed in context of another URL in the history list. Attackers can exploit this "to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site," the advisory said.
  • Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges using a specially crafted JavaScript URL.

When combined the vulnerabilities could be exploited to launch malicious code, Secunia said. The company confirmed the flaws in Firefox 1.0.3 and said other versions could be affected.

"Remote code execution in a browser, especially without the user's interaction is very dangerous, as any misspelling in a URL, any result from a search engine or any hacked server can infect people with all sorts of malware," Swa Frantzen, a handler for the Bethesda, Md.-based SANS Internet Storm Center, said by e-mail. "As to what can happen, all bets are basically off as remote code execution can install just about anything depending on the permissions the user running the browser has."

The Mozilla Foundation is working on a patch, Kristensen said. For now, there are two workarounds: disable JavaScript or disable the "Allow Web sites to install software" option.

Of the second option, Kristensen said, "[Mozilla has] made a temporary fix by changing the behavior of the default software installation sites… the exploit requires a working site to be listed in the 'Allow Web sites to install software' option."

He added: "This change effectively breaks the exploit. However, if a user has added another site to the "Allow Web sites to install software" option and the attacker knows the URL then the exploit is still working."

The Internet Storm Center is recommending users take the second option.

"The first workaround… stops all JavaScript," Frantzen said. "This will give [users] a bad experience on many Web sites as most Web masters don't cater to visitors with disabled JavaScript. "Disabling JavaScript is much more secure, but keeping it that way is nearly impossible except for very security-minded people. Compare it to taking care of an infected toe by amputating the leg."

The second is more selective and 99% of Web sites should continue to work as before, he said. It's not as broad a workaround as disabling JavaScript but it's a more manageable workaround until a patch arrives. Frantzen said: "Compare it to using pain killers for that same infection till a better solution can be implemented."

This article originally appeared on

Dig Deeper on JavaScript for Lotus Notes Domino

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

"there are workarounds"? That doesn't sound right. With so many MSFT products and browsers being insecure for the past decade, I am puzzled that other firms haven't learned from this. How hard is it to lock down a browser or create a patch when a new vulnerability is found? I'm not a coder, so don't yell too loudly at me. But if you find an issue at day XX, can't you go back to day XX-1 to get a copy of the software that didn't have an issue? OR better still, go to the hacker or white-hat who found the problem and enlist them to fix it. For now, I use Chrome and sometimes Safari. I gave up on IE immediately and haven't used FireFox in ages.




  • iSeries tutorials's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...