Digital Edition

SYS-CON.TV
Fire Drill for Firefox 1.0.3; Mozilla's Browser Has Serious Flaw
Mozilla Foundation Security Advisory 2005-42 Says Disable Javascript

A security flaw that allows a malicious site to execute arbitrary code on a user's system has been discovered in Mozilla Firefox, Mozilla has reported. It appears to be the first "Extremely Critical" Firefox flaw logged by Secunia, Mozilla says.

The advisory explains that a successful attack involves exploiting two flaws: one involves tricking Firefox into thinking a software installation is being triggered by a whitelisted site, while the other relies on the software installation trigger not sufficiently checking icon URLs containing JavaScript code. The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds) eliminates the problem.

As the story was posted, Mozilla had not yet issued a patch. The only workaround it recommends is to disable Javascript.

If there's schadenfreude in Redmond, then there are big smiles. Firefox has been slowly eating away at Microsoft IE's market share, due in large part to its reputation as a safe browser not susceptible to the security flaws routinely found in Microsoft's dominant program.

Initial feedback at Mozilla's website was mixed. Where one poster pronounced himself "extremely disappointed," another said that "the press will hype up any security issue, (and) not necessarily in proportion to the severity and impact of it." With more than 50 million downloads of Firefox claimed by Mozilla, it's not doubtful that the browser becomes a more tempting target for bad guys and a better-debugged program by dint of the sheer mass of the increasing number of people who use it.

About Security News Desk
SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

I think it's funny that the first "extremely critical" security flaw is related to a feature invented by Microsoft -- a feature that I turned off immediately upon installing Firefox. Seriously, if you turn on a feature like this, you might as well put a sign on your butt that says "Kick me" and bend over.

Version 1.0.4 is already out and addresses all of those issues. (http://www.getfirefox.com)




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple ...
"Akvelon is a software development company and we also provide consultancy services to folks who are...
Enterprises are striving to become digital businesses for differentiated innovation and customer-cen...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, ...
In this presentation, you will learn first hand what works and what doesn't while architecting and d...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point wh...
Modern software design has fundamentally changed how we manage applications, causing many to turn to...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provid...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discu...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing w...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held Novemb...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018,...
Dynatrace is an application performance management software company with products for the informatio...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 1...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22n...
A valuable conference experience generates new contacts, sales leads, potential strategic partners a...