A security flaw that allows a malicious site to execute arbitrary code on a user's system has been discovered in Mozilla Firefox, Mozilla has reported. It appears to be the first "Extremely Critical" Firefox flaw logged by Secunia, Mozilla says.
The advisory explains that a successful attack involves exploiting two flaws: one involves tricking Firefox into thinking a software installation is being triggered by a whitelisted site, while the other relies on the software installation trigger not sufficiently checking icon URLs containing JavaScript code. The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds) eliminates the problem.
As the story was posted, Mozilla had not yet issued a patch. The only workaround it recommends is to disable Javascript.
If there's schadenfreude in Redmond, then there are big smiles. Firefox has been slowly eating away at Microsoft IE's market share, due in large part to its reputation as a safe browser not susceptible to the security flaws routinely found in Microsoft's dominant program.
Initial feedback at Mozilla's website was mixed. Where one poster pronounced himself "extremely disappointed," another said that "the press will hype up any security issue, (and) not necessarily in proportion to the severity and impact of it." With more than 50 million downloads of Firefox claimed by Mozilla, it's not doubtful that the browser becomes a more tempting target for bad guys and a better-debugged program by dint of the sheer mass of the increasing number of people who use it.
First "Extremely Critical" Firefox bug
First "Extremely Critical" Firefox bug
http://wldj.sys-con.com/read/83666.htm
