Recently discovered “zero-day” exploit code that takes advantage of two vulnerabilities could mean serious trouble for Mozilla Firefox 1.0.3 users, and, to a lesser extent, Mozilla Suite users. Yesterday, Mozilla.org issued an advisory explaining the vulnerabilities and what measures to take to work around them.
In Mozilla Foundation Security Advisory 2005-42, Mozilla.org explains that the exploit could make use of javascript: url code to navigate back to a previously visited page — an online store order form with credit card information, an online banking account management page, etc. — to steal cookies, data, or even to “perform actions on behalf of the user.” This exploit affects both Mozilla Firefox 1.0.3 and Mozilla Suite.
Additionally, another javascript: url exploit takes advantage of Mozilla Firefox 1.0.3’s install dialogue, tricking Firefox into believing a malicious site is a whitelisted site, and giving an attacker the ability to install software.
According to Whitedust Security Portal, the exploit code can be adapted to threaten Mac OS and Linux OS users.
In its advisory, Mozilla.org recommends the following actions until an update is released:
Mozilla Firefox 1.0.3 and Mozilla Suite users should disable javascript
Mozilla Firefox 1.0.3 should remove all “Allowed sites” under the “Allow web sites to install software” option.
Read the original post here
You see, all those MS bashers out there who think they are so superior using their Firefox browsers (and I use Firefox, Opera or IE depending on what day of the week it is, not because it is the ‘in thing’ just to not be an IE basher!).
99% of them will say that the vulnerabilities discovered are some secret plot by Microsoft to undermine Firefox as a legitimate alternative no doubt. It is just a fact of life. If 99% of people drive a top of the range Jaguar, there are an awful lot of people who are going to find faults with it. It’s the law of testing. You can never test 100% coverage, because for everything that you do think of testing, there is always the chance of their being some angle you don’t consider, (and can’t because the number of possibilities out there are huge). If you are the 1% of people out there who drive the new car on the block, whether it just be a free alternative or just a cheaper alternative, you are fewer in number which is fact. This means that there are fewer of you to perform the testing, you are more likely to be protective of your ‘alternative’ and less likely to complain about the lack of this feature, or the lack of that ability, because you have the cheaper, less costly alternative. You also less likely to catch the problems that inherently must exist within the product.
I have long warned of complacency when it comes to the Firefox browser. I will not use Firefox for anything that relates to security despite the fact I prefer the way it renders web pages on loading, I prefer the speed at which it loads some web pages, (which is not just down to IE being slow, it is down to the amount of ‘bloat ware’ that overtime has been hooked onto IE and not cleanly uninstalled over the time that I have used it. The reason I won’t use it is down to the simple fact there are just not enough people using it to find the potential bugs that must exist.
It has been the natural thing to do for hackers to attack the most popular (for whatever reason), the most used, the most widely available browser on the market. But they are going to get bored at some point. Firefox will gain a significant number of users and then it will be financially viable to begin attacking this browser. Not all security breaches are a test of a hackers skill, some are down right malicious attempts to defraud the user in the long term. At present there are not enough users of Firefox compared to IE to warrant resources being applied. That and the fact that those you are competent enough to know how to install a new browser, those who are competent enough to understand the problems with IE are not those people who are the targets of said malicious attempts to defraud. But it must be said that without Firefox and the other browsers available, there would not be the incentive for the big operators to look for the bugs, to fix the holes that are found, or to provide the competition that creates enhancement and advancement in functionality. So don’t get me wrong, I am not knocking anything or anybody. I just can’t stand the knockers for the sake of knocking brigade.
So take this as a warning, there are holes in Firefox, there will be more holes found in Firefox as there will be in all Software, forever. It’s life. You can knock IE as much as you like, but I know which one I would prefer to make my online purchases with.
I actually like Firefox – except it could never remember the passwords I imported from Netscape. I like the “tabbed browsing”. But as it fails to remember passwords, (even after trying all the sipposed “fixes” going around) – it’s now in the bin – and back to Netscape 7.2. (Not the beta Netscape 8 is it? There are no skins for it except the vulgar space age thing it comes dressed in)
I’m a big fan of Firefox just because it seems to be one of the better standards compliant browsers out there.
I just hate the MS Bashers who bash IE just because it is the ‘in thing’ to do, without realising what they are exposing their system to.
There are not as many ‘known’ vulnerabilities in Firefox as there are in IE, but thats because people have concentrated their efforts on IE. A lot of IE vulnerabilities are published to discredit MS. It is the serious ones that are not disclosed that concerns me, as these are the ones that the most dangerous when it comes down to security of my system and personal data.
Firefox for viewing web pages, IE for anything security wise, that is what I tend to do at the moment.
And I do like the tabbed concept as well. Apparently, that will be introduced in IE 7 for some reason. This is what having a serious competitor in the browser market does and should do. It will cause them to consistenly improve with any luck. Before the demise of Netscape as it was, it was my only browser of choice.