hcp006sl
Journeyman
Though there are several threads on Firefox, I am introducing a new one on only the latest version of it.
What's new:
Title: Privilege escalation via non-DOM property overrides
Severity: Critical
Reporter: moz_bug_r_a4
Fixed in: Firefox 1.0.4
Description:
Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41.
Workaround: Upgrade to Firefox 1.0.4.
References: Bug and exploit details withheld until May 18, 2005
*bugzilla.mozilla.org/show_bug.cgi?id=290908
Title: "Wrapped" javascript: urls bypass security checks
Severity: Critical
Reporter: Michael Krax, Georgi Guninski, L. David Baron
Fixed in: Firefox 1.0.4
Description:
Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.
Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.
L. David Baron discovered a nested variant that defeated checks in the script security manager.
Workaround: Disable Javascript
References: Bug and exploit details withheld until May 18, 2005
*bugzilla.mozilla.org/show_bug.cgi?id=290949
*bugzilla.mozilla.org/show_bug.cgi?id=290982
*bugzilla.mozilla.org/show_bug.cgi?id=291150
*bugzilla.mozilla.org/show_bug.cgi?id=293671
Title: Code execution via javascript: IconURL
Severity: Critical
Reporter: Paul (Greyhats)
Fixed in: Firefox 1.0.4
Description:
Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code.
A vulnerability in the Firefox install confirmation dialog allows an attacker to supply a javascript: URL as the IconURL property, which will execute code. By using an eval() call in that URL arbitrary code can be executed with elevated privilege. By default only the Mozilla Update site is allowed to attempt software installation but users can allow other sites.
A second flaw in Firefox 1.0.3 allows an attacker to inject script into any site by loading it in a frame and navigating back to a previous javascript: URL containing an eval() call. This can be used to steal cookies or other confidential data from the target site. If the target site is allowed to raise the install confirmation dialog in Firefox then this attack can be combined with the first to execute arbitrary code.
The default Mozilla Update site has been modified to prevent its use in this attack.
Workaround: Changes were made to the default Mozilla Update site to protect users from these attacks shortly after this attack became public. Users who have added other extension or theme sites to the software installation whitelist should remove them until they have upgraded to a fixed version of Firefox.
Select the "Options" dialog from the "Tools" menu
Select the "Web Features" icon
Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
Click the "Remove All Sites" button
Click "OK"
Disabling Javascript will prevent both attacks.
References: Bug and exploit details withheld until May 18, 2005
*bugzilla.mozilla.org/show_bug.cgi?id=292691
*bugzilla.mozilla.org/show_bug.cgi?id=292499
*bugzilla.mozilla.org/show_bug.cgi?id=291745
You can also read story from BBC NEWS Published: 2005/05/12 16:01:21 GMT.
© BBC MMV
Code:
*205.188.221.241/pub/mozilla.org/firefox/releases/1.0.4/win32/en-US/Firefox%20Setup%201.0.4.exeWhat's new:
Title: Privilege escalation via non-DOM property overrides
Severity: Critical
Reporter: moz_bug_r_a4
Fixed in: Firefox 1.0.4
Description:
Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41.
Workaround: Upgrade to Firefox 1.0.4.
References: Bug and exploit details withheld until May 18, 2005
*bugzilla.mozilla.org/show_bug.cgi?id=290908
Title: "Wrapped" javascript: urls bypass security checks
Severity: Critical
Reporter: Michael Krax, Georgi Guninski, L. David Baron
Fixed in: Firefox 1.0.4
Description:
Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.
Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.
L. David Baron discovered a nested variant that defeated checks in the script security manager.
Workaround: Disable Javascript
References: Bug and exploit details withheld until May 18, 2005
*bugzilla.mozilla.org/show_bug.cgi?id=290949
*bugzilla.mozilla.org/show_bug.cgi?id=290982
*bugzilla.mozilla.org/show_bug.cgi?id=291150
*bugzilla.mozilla.org/show_bug.cgi?id=293671
Title: Code execution via javascript: IconURL
Severity: Critical
Reporter: Paul (Greyhats)
Fixed in: Firefox 1.0.4
Description:
Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code.
A vulnerability in the Firefox install confirmation dialog allows an attacker to supply a javascript: URL as the IconURL property, which will execute code. By using an eval() call in that URL arbitrary code can be executed with elevated privilege. By default only the Mozilla Update site is allowed to attempt software installation but users can allow other sites.
A second flaw in Firefox 1.0.3 allows an attacker to inject script into any site by loading it in a frame and navigating back to a previous javascript: URL containing an eval() call. This can be used to steal cookies or other confidential data from the target site. If the target site is allowed to raise the install confirmation dialog in Firefox then this attack can be combined with the first to execute arbitrary code.
The default Mozilla Update site has been modified to prevent its use in this attack.
Workaround: Changes were made to the default Mozilla Update site to protect users from these attacks shortly after this attack became public. Users who have added other extension or theme sites to the software installation whitelist should remove them until they have upgraded to a fixed version of Firefox.
Select the "Options" dialog from the "Tools" menu
Select the "Web Features" icon
Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
Click the "Remove All Sites" button
Click "OK"
Disabling Javascript will prevent both attacks.
References: Bug and exploit details withheld until May 18, 2005
*bugzilla.mozilla.org/show_bug.cgi?id=292691
*bugzilla.mozilla.org/show_bug.cgi?id=292499
*bugzilla.mozilla.org/show_bug.cgi?id=291745
You can also read story from BBC NEWS Published: 2005/05/12 16:01:21 GMT.
© BBC MMV