Mozilla Foundation Security Advisory 2005-42
Code execution via javascript: IconURL
- Announced
- May 8, 2005
- Reporter
- Paul (Greyhats)
- Impact
- Critical
- Products
- Firefox, Mozilla Suite
- Fixed in
-
- Firefox 1.0.4
- Mozilla Suite 1.7.8
Description
Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code. The Mozilla Suite version 1.7.7 is only partially vulnerable.
A vulnerability in the Firefox install confirmation dialog
allows an attacker to supply a javascript: URL as
the IconURL property, which will execute code.
By using an eval() call in that URL arbitrary code can be
executed with elevated privilege.
By default only the Mozilla Update site is allowed
to attempt software installation but users can allow other sites.
A second flaw in Firefox 1.0.3 and the Mozilla Suite 1.7.7 allows
an attacker to inject script into any site by loading it in a frame
and navigating back to a previous javascript: URL
containing an eval() call. This can be used to steal cookies or
other confidential data from the target site. If the target site
is allowed to raise the install confirmation dialog in Firefox
then this attack can be combined with the first to execute
arbitrary code.
The default Mozilla Update site has been modified to prevent its use in this attack.
Workaround
Changes were made to the default Mozilla Update site to protect users from these attacks shortly after this attack became public. Users who have added other extension or theme sites to the software installation whitelist should remove them until they have upgraded to a fixed version of Firefox.
- Select the "Options" dialog from the "Tools" menu
- Select the "Web Features" icon
- Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
- Click the "Remove All Sites" button
- Click "OK"
Disabling Javascript will prevent both attacks.
References
Bug and exploit details withheld until May 18, 2005