О существовании уязвимых мест в программе стало известно в субботу. По словам экспертов, они «очень серьезны», хотя никто ими еще не успел воспользоваться.
Mozilla тут же внесла изменения в свой сервис обновления программного обеспечения и советует пользователям временно отключить опцию JavaScript.
Найденные недостатки в программе позволяют хакерам запускать с веб-сайтов вредоносные программы на компьютере пользователя.
(источник)
Mozilla Security Center:
Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a «proof of concept» has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript.
Mozilla Foundation Security Advisory 2005-42
Title: Code execution via javascript: IconURL
Severity: Critical
Reporter: Paul (Greyhats)
Products: Firefox, Mozilla Suite
Two vulnerabilities were found in Mozilla Firefox that combined allow an attacker to run arbitrary code. The Mozilla Suite is only partially vulnerable.
By causing a frame to navigate back to a previous javascript: url an attacker can inject script into any site. This could be used to steal cookies or sensitive data from that site, or to perform actions on behalf of that user. (Affects Firefox and the Suite).
A separate vulnerability in the Firefox install confirmation dialog allows an attacker to execute arbitrary code by using a javascript: URL as the package icon. By default only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability described above enables this to be exploited from any malicious site.
The Mozilla Foundation has modified the update servers to prevent their use in this attack.
