Mozilla Foundation Security Advisory 2006-36

PLUGINSPAGE privileged JavaScript execution II

Announced
June 1, 2006
Reporter
Paul Nickerson
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 1.5.0.4

Description

Paul Nickerson reports that the fix for MFSA 2005-34 can be bypassed using nested javascript: URLs, again allowing the attacker to execute privileged code. The attacker must first convince the user to first click on the missing-plugin icon in the page or the "Install Missing Plugins..." button in the infobar, and then click on the "Manual Install" button on the plugin-finder dialog.

Note that the "Manual Install" button is a mechanism for installing software from a site specified by the web page. Many potential victims who have come this far might be convinced to go ahead and install arbitrary software from the attacker's site even without this vulnerability.

Workaround

Do not press the "Manual Install" button on the Firefox plugin finder. Instead use a search engine to find an appropriate plugin for the content.

References