Severity: Medium
19 July, 2007
Summary:
Yesterday, the Mozilla Foundation released an update to fix eight security vulnerabilities in Firefox 2.0.0.4, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious Web page, an attacker could exploit the worst of these vulnerabilities to execute code on your user’s computer, with your user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.5 at your earliest convenience.
Exposure:
Yesterday, the Mozilla Foundation released Firefox 2.0.0.5, fixing eight security vulnerabilities in the popular web browser. We summarize the three most critical vulnerabilities below:
- Firefox and Internet Explorer Code Execution Vulnerability. In a recent Wire post, we described a critical vulnerability in Internet Explorer’s (IE) URI handler that could be abused to launch a cross-browser scripting attack with Firefox. This attack only works if your users have both Firefox and Internet Explorer installed. If an attacker can entice one of your users to click a specially crafted link using IE, he could execute malicious JavaScript in Firefox with your user’s security privileges. If your user had local administrator privileges, the attacker could exploit this flaw to gain complete control of the user’s machines. Mozilla has corrected the Firefox portion of this vulnerability. However, they warn that the core vulnerability lies in IE and remains unpatched. Attackers can call other Windows applications in this way to execute malicious code via the IE vulnerability.
Severity: Medium
19 July, 2007
Summary:
Yesterday, the Mozilla Foundation released an update to fix eight security vulnerabilities in Firefox 2.0.0.4, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious Web page, an attacker could exploit the worst of these vulnerabilities to execute code on your user’s computer, with your user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.5 at your earliest convenience.
Exposure:
Yesterday, the Mozilla Foundation released Firefox 2.0.0.5, fixing eight security vulnerabilities in the popular web browser. We summarize the three most critical vulnerabilities below:
- Firefox and Internet Explorer Code Execution Vulnerability. In a recent Wire post, we described a critical vulnerability in Internet Explorer’s (IE) URI handler that could be abused to launch a cross-browser scripting attack with Firefox. This attack only works if your users have both Firefox and Internet Explorer installed. If an attacker can entice one of your users to click a specially crafted link using IE, he could execute malicious JavaScript in Firefox with your user’s security privileges. If your user had local administrator privileges, the attacker could exploit this flaw to gain complete control of the user’s machines. Mozilla has corrected the Firefox portion of this vulnerability. However, they warn that the core vulnerability lies in IE and remains unpatched. Attackers can call other Windows applications in this way to execute malicious code via the IE vulnerability.
- Multiple Memory Corruption Vulnerabilities. Firefox suffers from 21 unspecified crash bugs. Some of the crash bugs corrupt memory. Mozilla presumes that with enough effort at least some of these memory corruption flaws could be exploited to run arbitrary code. To exploit these flaws, an attacker could first have to trick one of your users into visiting a specially crafted web page. If your user took the bait, the attacker could execute code on that user’s machine, with that user’s privileges. If your user were a local administrator or had root privileges, the attacker would gain total control of the victim’s machine.
- Firefox Privilege Elevation Vulnerability. Chrome is part of Firefox’s user interface. It handles the parts of the user interface that lie outside the main web content window, such as toolbars, menu bars, progress bars, and window title bars. More importantly, Chrome scripts run with much higher privileges than typical web-based scripts. According to Mozilla, an attacker can use an element outside of a document to call an event handler, allowing content to run arbitrary code with Chrome’s privileges. If an attacker can get your user to visit his malicious web page, he can exploit this privilege elevation vulnerability to execute code on your user’s computer with the same privileges as that user. So if your users have local administrative or root privileges, an attacker could leverage this vulnerability to gain complete control of their machines.
The remaining vulnerabilities include some Cross-Site Scripting (XSS) flaws and a minor frame spoofing issue. If you’d like to know more about them, check out Firefox’s known issues page. However, the critical vulnerability alone should convince you to upgrade your Firefox users to the fixed version at your earliest convenience.
Solution Path:
Mozilla has updated Firefox, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.5 as soon as possible. Mozilla no longer supports the 1.5.x branch of Firefox. We recommend that 1.5.x users migrate to 2.0.0.5 now.
Note: The latest versions of Firefox 2.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to automatically download and install the update, or to merely inform the user that the update exists.
For All WatchGuard Users:
Some of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
The Mozilla Foundation has released Firefox 2.0.0.5, fixing these security issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP