'Extremely Critical' Bugs Found In Firefox

[stealth_thunder]

By Gregg Keizer
TechWeb News

A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday.
Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites.

The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.

According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.

"Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit," the Foundation announced on its security site Sunday. Specifically, Mozilla re-pointed the two update sites to a new URL, and instructed users not to add that new site to their list of Allowed Sites. The change, however, only defends against the current proof-of-concept that's circulating, not the vulnerabilities themselves.

While that reduced the risk of an immediate attack, Mozilla doesn't have control over the numerous sites that users might have added to their Allow, or whitelist, list. Popular plug-ins, called "extensions" by Firefox, could also be the root of attacks, since users must give an extension site installation permission. To close all possible doors, Mozilla recommended that users either disable JavaScript or turn off installation from Web sites. To disable Web site software installs, users can select Tools/Options/Preferences in Firefox 1.0.3, the current edition. Users can still install extensions or user interface themes manually by first downloading the file, then running them from Firefox's File menu.

A security update -- which will be dubbed Firefox 1.0.4 -- will be issued as soon as possible. "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the organization's security alert continued.

While the leaked information included proof-of-concept code that demonstrated how a malicious site could run code of the attacker's choice and install it on machines using Firefox, Mozilla discounted the risk. "There are currently no known active exploits of these vulnerabilities," it said Sunday. The release of Firefox 1.0.4 would be the fourth security update to the browser since the beginning of the year. Others appeared in late February, late March, and mid-April. In that time, Microsoft has released two patches for its Internet Explorer browser.

Website :

Code:

http://informationweek.com/story/showArticle.jhtml?articleID=163100338

Does this tell us that Mozilla Firefox is not a safe browser ???

My personal views, its kinda good to have a browser like firefox but too many aspects like javascripts features not yet fully protected and microsoft continue to promote their Internet explorer and continueously trying to make Mozilla Development team to go bonkers on repairing what microsoft have found.

What will happen if firefox do not fixed the bug???
Will microsoft continue to push Mozilla team to reach their limits and then make them stop developing firefox ???

[Richard]

What will happen if firefox do not fixed the bug???
Will microsoft continue to push Mozilla team to reach their limits and then make them stop developing firefox ???

That will never happen. Think Microsoft are using that to take the spot light of them a bit. In fact if Microsoft don't do something radical in the next 5 - 10 years it will become a shadow of its former self.

Going back to Firefox, no one said it was perfect. However its still safer and more standards Compliant then IE

[stealth_thunder]

Microsoft been posting all the bugs on firefox, why isn't firefox people get back on them too.....

Mostly see that Mozilla only improve and fixed up firefox not a single news found that firefox would go against Microsoft....

May be Bill Gates too powerful.... that's my view

[Richard]

Microsoft been posting all the bugs on firefox, why isn't firefox people get back on them too.....

Mostly see that Mozilla only improve and fixed up firefox not a single news found that firefox would go against Microsoft....

May be Bill Gates too powerful.... that's my view

The Mozilla group would never step down such levels. Microsoft has never really had much competition against the likes of Netscape but now there is a whole new wave that Microsoft is fighting.. Firefox is just the begining.

Microsoft will have to adapt in time and they have already begun testing the waters since they have 3 projects on SourceForge. Time will tell what the future holds.

[stealth_thunder]

Latest Report I found out

Firefox undercut by security flaws

The Web browser seen by some PC users as the underdog that would upset Microsoft's Internet Explorer may have run into a snag.

Two snags, actually.

Mozilla Foundation's Firefox has reported two security flaws. Together, they could be used by hackers to gain access to the computers of Firefox users.

Once inside, hackers would have the full privileges of the user - meaning they could install programs and delete files.

Mozilla is scrambling to patch the holes. ``We have a fix in hand,'' said Chris Hofmann, Mozilla's engineering director.

The fix is being tested, Hofmann said. In the meantime, Mozilla is urging Firefox users to either disable the browser's ``JavaScript'' or ``Whitelist'' features.

None of Firefox's 52 million users have reported problems from the security flaws. The vulnerabilities might have gone unnoticed by the public, according to Jeffrey Schiller, the Massachusetts Institute of Technology's network manager and security architect.

Typically, research groups hack into systems to uncover security flaws and notify the provider of problems. The company is then given time to make repairs.

But in Mozilla's case, the lid was blown when e-mails between two researchers were misdirected. ``They effectively published the recipe on how to take advantage of (Firefox's flaws),'' Hofmann said.

The leak caused a flurry of activity as Mozilla updated its system and warned users. The incident may be a black eye for the fledgling browser, which prides itself on being more secure than Internet Explorer.

``There are going to be security vulnerabilities that surface,'' Hofmann admitted. ``But we believe Firefox is built on a strong architecture.''

website taken :

Code:

http://business.bostonherald.com/technologyNews/view.bg?articleid=82592

My personal views, no one knows the bug exist at all then why Microsoft just whispered to their competitors and tell them you have two critical bug rather than exposing over the Tech News saying about Microsoft themselves found 'Extremely Critical Bugs. What a low level way of treating ur opponent which has no idea what microsoft is trying to express to them.... " Get lost... leave this internet world, stop your nonsense on creating your personal browser. U would never be able to survive unless I die "

Are the trying to express that only microsoft themselves knows

[Richard]

Think about it.

This type of malicious code needs a website to hold it right? So malicious code on a website would make that website malicious. Which leaves the question “What are you doing at that site in the first place?”

This whole thing is blown out of proportion. I think.

[izmaelis]

Ok. There were several bugs found in FireFox few days ago so why I can't find any patches or updates to correct them. I use FireFox every day but I can't see any green/red button in the upper right corner.

[Richard]

Thats because Firefox 1.0.4 has not been released yet.

None of Firefox's 52 million users have reported problems from the security flaws.

I don't think there is too much to worry about :happy:

[n4tec]

I use Firefox!!! I am having no problem with it except I can see any red button in the upper right corner!!! What should i do?

*4*

[Richard]

Double click on it. Its will search for updates for you.