Recently discovered “zero-day” exploit code that takes advantage of two vulnerabilities could mean serious trouble for Mozilla Firefox 1.0.3 users, and, to a lesser extent, Mozilla Suite users. Yesterday, issued an advisory explaining the vulnerabilities and what measures to take to work around them.
In Mozilla Foundation Security Advisory 2005-42, explains that the exploit could make use of javascript: url code to navigate back to a previously visited page — an online store order form with credit card information, an online banking account management page, etc. — to steal cookies, data, or even to “perform actions on behalf of the user.” This exploit affects both Mozilla Firefox 1.0.3 and Mozilla Suite.
Additionally, another javascript: url exploit takes advantage of Mozilla Firefox 1.0.3’s install dialogue, tricking Firefox into believing a malicious site is a whitelisted site, and giving an attacker the ability to install software.
According to Whitedust Security Portal, the exploit code can be adapted to threaten Mac OS and Linux OS users.
In its advisory, recommends the following actions until an update is released:
Mozilla Firefox 1.0.3 and Mozilla Suite users should disable javascript
Mozilla Firefox 1.0.3 should remove all “Allowed sites” under the “Allow web sites to install software” option.

Read the original post here

You see, all those MS bashers out there who think they are so superior using their Firefox browsers (and I use Firefox, Opera or IE depending on what day of the week it is, not because it is the ‘in thing’ just to not be an IE basher!).

99% of them will say that the vulnerabilities discovered are some secret plot by Microsoft to undermine Firefox as a legitimate alternative no doubt. It is just a fact of life. If 99% of people drive a top of the range Jaguar, there are an awful lot of people who are going to find faults with it. It’s the law of testing. You can never test 100% coverage, because for everything that you do think of testing, there is always the chance of their being some angle you don’t consider, (and can’t because the number of possibilities out there are huge). If you are the 1% of people out there who drive the new car on the block, whether it just be a free alternative or just a cheaper alternative, you are fewer in number which is fact. This means that there are fewer of you to perform the testing, you are more likely to be protective of your ‘alternative’ and less likely to complain about the lack of this feature, or the lack of that ability, because you have the cheaper, less costly alternative. You also less likely to catch the problems that inherently must exist within the product.

I have long warned of complacency when it comes to the Firefox browser. I will not use Firefox for anything that relates to security despite the fact I prefer the way it renders web pages on loading, I prefer the speed at which it loads some web pages, (which is not just down to IE being slow, it is down to the amount of ‘bloat ware’ that overtime has been hooked onto IE and not cleanly uninstalled over the time that I have used it. The reason I won’t use it is down to the simple fact there are just not enough people using it to find the potential bugs that must exist.

It has been the natural thing to do for hackers to attack the most popular (for whatever reason), the most used, the most widely available browser on the market. But they are going to get bored at some point. Firefox will gain a significant number of users and then it will be financially viable to begin attacking this browser. Not all security breaches are a test of a hackers skill, some are down right malicious attempts to defraud the user in the long term. At present there are not enough users of Firefox compared to IE to warrant resources being applied. That and the fact that those you are competent enough to know how to install a new browser, those who are competent enough to understand the problems with IE are not those people who are the targets of said malicious attempts to defraud. But it must be said that without Firefox and the other browsers available, there would not be the incentive for the big operators to look for the bugs, to fix the holes that are found, or to provide the competition that creates enhancement and advancement in functionality. So don’t get me wrong, I am not knocking anything or anybody. I just can’t stand the knockers for the sake of knocking brigade.

So take this as a warning, there are holes in Firefox, there will be more holes found in Firefox as there will be in all Software, forever. It’s life. You can knock IE as much as you like, but I know which one I would prefer to make my online purchases with.