Firefox Critical update - get it now!

From Mozillazine

More Details on Arbitrary Code Execution Vulnerability
Monday May 9th, 2005

Yesterday, we reported that an arbitrary code execution vulnerability has been discovered in Mozilla Firefox. Today, the Mozilla Foundation published an advisory, MFSA 2005-42, which we urge all our readers to examine carefully. In summary, there are two separate issues that can be combined to execute arbitrary code on a victim's computer: one relating to JavaScript code injection and another involving the icon URL used in the software installation dialogue. However, as described below, the potential for arbitrary code execution is no longer a threat for most users.

The first flaw is less serious, though it can potentially lead to sensitive data being stolen and makes the second flaw easier to exploit. The vulnerability allows a malicious site to use frames and JavaScript to inject arbitrary JavaScript code into another site. This allows the malicious site to steal data like cookies or perform actions such as launching the software installation dialogue without being on the user's software installation whitelist (note that this does not allow software to be installed without user intervention). This flaw affects both Mozilla Firefox and the Mozilla Application Suite and can be eliminated by disabling JavaScript.

The second flaw is more serious and involves the software installation dialogue, which is used to ask the user if they wish to install software (such as an extension) from a website. In Mozilla Firefox (but not the Mozilla Application Suite), this dialogue can include an icon, which is supplied by the site as a URL to an image file. Due to insufficient checking, this icon URL can actually be a piece of JavaScript code, which is run with no further prompting. As this code actually runs from the software installation dialogue, rather than a webpage, it is executed with 'full chrome privileges', meaning that it can do anything that the user running Firefox can, including installing software or deleting files. This is the more serious flaw, allowing arbitrary software execution, and only affects Mozilla Firefox. It can prevented by disabling software installation.

On its own, the second flaw can only be exploited by a site on the user's software installation whitelist. However, a malicious site can combine the first and second attacks to execute arbitrary code if it knows the details of one of the sites on the whitelist. In a standard Firefox installation, only the Mozilla Update sites (update.mozilla.org and addons.mozilla.org) are on the whitelist by default. This has allowed the Mozilla Foundation to apply a server-side change that prevents attackers from exploiting the code execution flaw using its systems. Therefore, if you have not added any additional sites to the whitelist, you are not at risk from the code execution exploit and have not been since yesterday. However, you will still be vulnerable to the less serious JavaScript injection flaw.

The server-side change to Mozilla Update and the workarounds described in MFSA 2005-42 (if you still haven't read it, please do) are temporary measures. We understand that the Mozilla Foundation is currently testing builds that include a better fix for this problem, so we expect that a security update will be issued shortly.

In short someone out there can install code using Firefox that can install programs unknown to you. To fix it go to the Firefox update page and download version 1.04.

You want to keep up with your web browsers homepage at all time to be aware of any updates. To keep your computer safe you have to be proactive. This is you neighborhood Internet superhero signing off...