Silicon in my Blood

Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites.

The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.

According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.

"Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit," the Foundation announced on its security site Sunday. Specifically, Mozilla re-pointed the two update sites to a new URL, and instructed users not to add that new site to their list of Allowed Sites. The change, however, only defends against the current proof-of-concept that's circulating, not the vulnerabilities themselves.

While that reduced the risk of an immediate attack, Mozilla doesn't have control over the numerous sites that users might have added to their Allow, or whitelist, list. Popular plug-ins, called "extensions" by Firefox, could also be the root of attacks, since users must give an extension site installation permission. To close all possible doors, Mozilla recommended that users either disable JavaScript or turn off installation from Web sites. To disable Web site software installs, users can select Tools/Options/Preferences in Firefox 1.0.3, the current edition. Users can still install extensions or user interface themes manually by first downloading the file, then running them from Firefox's File menu.

A security update -- which will be dubbed Firefox 1.0.4 -- will be issued as soon as possible. "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the organization's security alert continued.

While the leaked information included proof-of-concept code that demonstrated how a malicious site could run code of the attacker's choice and install it on machines using Firefox, Mozilla discounted the risk. "There are currently no known active exploits of these vulnerabilities," it said Sunday. The release of Firefox 1.0.4 would be the fourth security update to the browser since the beginning of the year. Others appeared in late February, late March, and mid-April. In that time, Microsoft has released two patches for its Internet Explorer browser.

Techweb