February 11, 2005

«Previous Main Next »

Mozilla Firefox Browser Vulnerabilities

Security Alert!
Platform: Mozilla Firefox 1.0, all platforms
Vendor Severity: not specified
Actual Severity: HIGH to CRITICAL

Just becuase it's not Microsoft doesn't mean it's perfect. The exodus of users from Microsoft's security-hole-ridden Internet Explorer to the open source Firefox browser is well documented. However, Firefox suffers from serious security bugs just like IE does, so vigilance is still required. To date Firefox hasn't suffered from the high rate of IE security gaffes, but this week three serious bugs in a row reinforce the need to keep an eye on all software patches.

The vulnerabilities occur in three completely separate areas of Firefox's user interface: tabs, dragging, and the Flash plug-in.


Bug 280056: When dropping a javascript link to a tab, the script runs in the security context of the site currently displayed in the tab

Bug 279945: Image drag and drop allows to create executable files

Bug 280664: Using Flash and the -moz-opacity filter you can get access to about:config and make the user silently change values

All of these can be exploited by a malicious server to compromise the security of a user's browser environment, which could lead to disclosure of confidential information, to arbitrary code execution, and ultimately to the takeover of the user's machine.

All three bugs are fixed in the latest build of Firefox, but getting and installing the latest build isn't as easy -- or as automatic -- as Microsoft's self-installing updates. If you deploy Firefox, you must manually upgrade each user's installation to the fixed version, which could be a tedious process.

This additional labor may still be worth it given the advantages of Firefox: immunity from IE exploits, such as spyware and keystroke logging; resistance to cross-site script attacks; and built-in control over pop-up ads. The lesson here is to avoid complacency. While Firefox is safer than IE today, it's still software and still contains bugs that require close monitoring.

Posted by Mel Beckman at February 11, 2005 10:24 AM