Security news October 2, 2006

Researchers have detected a potentially serious flaw in the way that Mozilla’s Firefox browser handles Javascript.

Two independant researchers outlined the vulnerability in a presentation over the weekend at the ToorCon hacker conference. The duo claimed that the vulnerability could allow attackers to take over control of a system through a specially crafted web page.

In a blog posting, Mozilla security chief Window Snyder wrote that the company was able to recreate browser crashes from the vulnerability. Snyder claimed however that he couldn’t confirm the remote code execution.

The vulnerability affects the ‘chrome context’ component of Firefox, explained Eric Sites, vice president of research and development for security vendor Sunbelt Software. The feature provides certain trusted code such as Javascript with full access to Firefox’s resources.

“If a script gets into that chrome context, then it’s just like you copied that script to your computer and ran it with no restrictions whatsoever,” Sites told vnunet.com.

There currently are no known exploits of the vulernability. Sites however cautioned that the flaw could be included in the WebAttacker toolkit, which provides malware authors with an automated tool to craft new worms and virusses.

“We’ve already seen [WebAttacker] Javascript exploits targeted at Firefox, so I’m sure these guys will be picking up these scripts and implementing them in WebAttacker pretty quickly,” Sites said.

Sites compared the impact of the Firefox vulnerability to the ActiveX-software zero-day exploits that hit Internet Explorer in the past week. In two separate incidents, attackers used an unpatched vulnerability in Internet Explorer to execute arbitrary code. Microsoft last week rushed out a patch for one of the flaws, while the second one remains unpatched.

Though he said the vulnerability is “pretty dangerous” to users, Firefox’ open source status allows its developer community to quickly create a patch once a solution has been found.

“One thing that Mozilla has going for it is an interesting framework that allows for sending out updates very quickly,” said Sites.

*

Related Articles:
  • Hackers claim zero-day flaw in Firefox: The open-source Firefox Web browser is critically flawed in the
  • New IE bug puts patched Windows systems at risk: Microsoft is investigating a new zero-day flaw in Internet Explorer
  • Mozilla Firefox 1.5.0.5 Released: Mozilla Firefox 1.5.0.5 is now available for download. This update
  • Firefox 2.0 RC3 Launched by Mozilla: Mozilla, maker of the open-source Firefox browser, on Monday released
  • Mozilla fixes several Firefox flaws: Mozilla has updated its Firefox browser to close seven different
    • Articles:

    Leave a Reply

    You must be logged in to post a comment.