Saint_Michael
Jul 13 2007, 02:05 AM
Well it has finally happen and strangely enough I didn't really think about it until now, but it seems a security team found a very high level bug that requires both Internet Explorer 7 and Modzilla Fire Fox. This is the jist of the bug; QUOTE The root of the matter is a Firefox uniform resource identifier (URI) that allows Web sites to force Firefox to launch with the "firefoxurl://" URI, Secunia reported. The way in which the URI handler is registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when the "firefoxurl://" URI is activated.
Due to the implementation of the "chrome" parameter, it is possible to inject code that would be executed within Firefox, said Thomas Kristensen, CTO of Secunia.
"Running JavaScript in 'chrome' context within Firefox is essentially the same as executing arbitrary code and allows an attacker to take any actions on the local system with the same privileges as the active user," Kristensen explained. "Registering a URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application."
Improper use of URl handlers and parameters supplied via URls has historically caused problems for many vendors, including Microsoft, Apple, Mozilla, certain Linux projects, and Opera. But the blame in this case falls squarely on the shoulders of Firefox, Kristensen insisted. Mozilla has publicly announced it is working on a fix. Interestingly enough though this bug affects everyone that has firefox 2.0.0.2 and up, and right now their is no patch for this bug due to the fact people are still blaming the other side of messing up and all that wonderful junk. So far no evil computer crime lords have used this exploit yet and the only recommendation they have right now is disable active scripting in the html and that is the only recommendation until the patch is release. Like I mention the blame game was being passed around and of course Firefox group says it's not FF fault, even though the bug is coming from their browser, but another problem that arises is that this little tid bit of news was improperly disclosed. Which means the hackers and the crackers will have a field day about this untill the patch is release. I keep tabs on this and let people know when the patch is supposed to come out. SOURCE Here
Reply
9block
Jul 13 2007, 02:21 AM
Ohhh snap. Thats a big one and seems easy to implement. So basically your saying its as easy as coding a firefoxurl:// link into javascript code and anyone who enables activrX controls could possibly be affected? Wait, so how do you turn off your active scripting. Disable java and javascript?
Reply
Saint_Michael
Jul 13 2007, 02:39 AM
QUOTE(9block @ Jul 12 2007, 10:21 PM)  Ohhh snap. Thats a big one and seems easy to implement. So basically your saying its as easy as coding a firefoxurl:// link into javascript code and anyone who enables activrX controls could possibly be affected?
Wait, so how do you turn off your active scripting. Disable java and javascript? for your first question the answer is pretty much as for disabling active scripting I point you to a couple of sites: IE HereAs for Firefox disabling java and javascript would be the way to do it, also you can still keep them running just make sure your computer is up to date which includes firewalls, security updates the works.
Reply
jlhaslip
Jul 19 2007, 03:41 AM
Firefox has just issued an update which appears to fix this and several other issues. From the Release Notes, here is what has been fixed in the Firefox 2.0.0.5 which automatically updated itself on my machine: QUOTE
Fixed in Firefox 2.0.0.5
MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to in name
MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption
I think the problem you discuss is identified in the above list as MFSA 2007-23. In case you didn't receive the update, simply go to the Firefox Download site and the new version should be ready for download from there.
Reply
Recent Queries:--
interesting to know - 94.94 hr back. (1)
Similar Topics
Keywords : interesting, firefox, bug, read, asap, ff, 2, 0, 02, users
- Hackers Hijack A Half-million Sites: Phpbb Forum Users Must Read
(8)
Mozilla: Firefox Plugin Shipped With Malicious Code
(3) This piece of news only affect Vietnamese users as the Vietnam language package was infected with
malware trojan called e Xorer, and so if you downloaded this language pack in the last few weeks run
a scan and the trojan should be picked up. Although this trojan is only a couple of months old and
so I don't think everyone has something for it, but check at your vendors website and see if
they have a solution for it. As for the cause of this infected plugin, they assume the authors
computer was infected at the time when they upload this plugin to the mozilla website....
Hackers Focus Efforts On Firefox, Safari, And Office
(1) QUOTE Many people are switching from Internet Explorer to alternative browsers such as Firefox
and Safari. Though that might make them feel more secure, the shift has also opened new doors for
bad guys. Case in point: We have no IE bugs to report this month, but both Firefox and Safari have
been hit hard. So forget the idea that just because you've switched to a new browser,
you're magically safer. You may be for a time, but to stay safe with any software, you need to
keep current with fixes. Firefox Holes In a somewhat dubious recognition of Firefox's....
Opera, Firefox Bug Could Reveal Web Travels
(0) OH NO!!! (sarcasm there) QUOTE A flaw in the way the Firefox and Opera browsers
handle an image file could allow an attacker to see what Web sites a person has visited. The
problem concerns how the two browsers handle a ".BMP," or bitmap, image file, according to an
advisory written by Gynvael Coldwind of Vexillium.org, who posted a video illustrating the problem.
A malicious bitmap file can be created that pulls other information from the browsers' memory.
Some of the information that can be captured is random, but at other times could be valuable....
Is There An Exploit In Vista Home Premium To Make Firefox Permanant Default Browser?
(4) I just got a new laptop, and of course it's loaded with vista. Everything works awesomly!
(my last PC was from 2001, BIG DIFF.) But the damned thing compulsivly and automatically sets
Internet Explorer to my default browser and won't let me change certain things which browsers
will typically handle. 've manually changed it so Firefox handles all the stuff except HTTPS
and what not (CANNOT CHANGE W/O HACK!), but IE just bumps in every time I want to click a link
from a non-browser based file /sad.gif" style="vertical-align:middle" emoid=":(" border="....
Hole In Microsoft Messenger Program Requires A Immediate Update
For Users of MSN Messenger 6.2, 7.0 and 7.5 versions of MSN Messenger (0) SOURCE Well it seems that Microsoft found a huge hole in MSN Messenger that was bad enough that
they want people to upgrade to the current Messenger which is Live 8.1 or something like that. As
for details on the problem they just said the following, "..which let hackers embed malicious code
in Web chat invitations to users." and that they found this problem in "6.2, 7.0 and 7.5, as well as
Windows Live Messenger 8.0." Although it was interesting to know that people were actually
complaining about Live Messenger being a resource hog, well the last time I check msn w....
Mcafee Lets Users Download Rootkit Program For Free
(2) Since the beginning of 2007 a lot of the security reports I have been reading have mentioning about
hackers using rootkits to get into people's computers. Google defines a rootkit as a set of
programs used to hack into a system and gain administrative-level access. Once a program has gained
access, it can be used to monitor traffic and keystrokes; create a backdoor into the system for the
hacker's use; alter log files; attack other machines on the network; and alter existing system
tools to circumvent detection. Rootkits are an extreme form of System Modificatio....
Firefox Flaws Galore
(7) Well it seems firefox flaws are becoming a popular now, the two flaws that have been reported all
follow the same protocol that had posted about before; QUOTE The flaw lies in Firefox's URL
handler component.. Like the first flaw, this one could be exploited by attackers to launch
programs on the victim's PC without authorization, said Tyler Reguly, a security research
engineer at nCircle Network Security Inc. "They're both related to the URL handling process," he
said "It's just different errors within that handling process." So far it would se....
Security Guidelines For Internet Users
(6) Security Guidelines for Internet Users 1. Install an anti-virus software, you can free ones like
AVG Free . Ensure that it's regularly updated - this is of the utmost importance. 2.
Anti-virus software is not enough, the security can be tightened using a firewall software which
will help you prevent unauthorized incoming and outgoing communications from your computer while
connected to the Internet. 3. Disconnect your computer from the Internet when not in use. The
longer you are connected to the Internet, the more opportunity you give for persons to gain un....
Skype & P2p Users - Beware About These Following Worms
(2) With the Skype worm it a simple process of your computer getting infected the worm grabs all the
emails that your skype account has and sends a Instant message to click on this which also downloads
a trojan so other malicious software can installed on that infected computer. Also a person is
directed at least 8 which in the most likely case are scam sites to of course get that person's
info, but so far it hasn't cost any real damage like some of the other attacks skype has seen in
the past. SOURCE Here As well all know everyone is in the P2P since napster an....
Prank Phone Virus That Can Kills Sends Pakistan Mobile Users Into Hysteria
(0) Although not a big secuirty risk more like something interesting about what human mind viruses can
do ot a person once they recieve a message. On friday pretty much all hell broke loose in Pakistan
when people start recieving, hear, readying about a message that a Virus sen through a mobile phone
will kill people and so every mobile user in Pakinstan went into a craze and cllaed their providers
to see whats going on. The message alos mention that 20 people have died so far, of course they
make mention about the movie "The Ring" in which once a person watched this kil....
Windows Crashing. Can't Use Opera Or Firefox
deleted files in temp folder (3) Windows has been acting strangely by now, it freezes/clogs badly, I can't use Opera, MF or
continue my tutorials due to this problem. It gets on my nerves as I think it was MY problem because
I deleted MOST of the files in the Temp folder. CODE (Start>Run...>%Temp%)
That folder, most of the files were deleted by me. I consulted my friend by half-screwed MSN, he
said I "effed me up the arse" by doing that. He recommended me backing up and formatting. I never
did that before so I think it will be most-likely half-impossible for me. And as I d....
Zero-day Firefox Exploit
(5) Link to Article: http://news.com.com/Hackers+claim+zero-day..._3-6121608.html Thought this was
interesting. Really caught me offgaurd, didn't expect such a huge flaw on a GPL based program.
Whats even more scary is they said they have about 30 other flaws found.......
Phishers Target Google Gmail Users
Be Careful GMail Users (12) QUOTE IT security experts warned today of a "widespread phishing email campaign" that tries to
swindle unwary recipients by pretending to offer a cash prize from Gmail, Google's popular free
email service. The emails claim that the recipient has been randomly selected for a $500 cash
prize, and that the money can be paid automatically if they click on the embedded web link. Part of
the email reads as follows: 'You won $500! Gmail congratulates you!
CONGRATULATIONS! YOU WON $500! Gmail gives members random cash prizes. Today....
Attention All Ipb Users/admin
Important exploit discovered! (6) Invision Power Board v2.1.6 © 2006 IPS, Inc. This is what it is written on the bottom of the
board. Not so long ago, i was surfing somewhere, (i wont say where) and i discovered a "sql
injection"exploit, a perl script. QUOTE(step28 in the hack) 28. Reload and click on the
username to the admin. You are now logged in as an ADMIN!!! Admins, pm to receive
the link where i found this. with this hack, you can log in with any user without his pass.
It's really easy to do, you just need PERL, Opera webbrowser and 3 minutes fo your life... ....
Firefox Exploit
(0) QUOTE Earlier this week, I blogged about a site doing a bunch of different exploits, depending
on what you are running. One of the things the site will do is detect if you have Firefox, and
attempt to exploit it, using the InstallVersion.compareTo() vulnerability. Read More with
images Already found to be copying and pasting. Take this time to review our forum rules. Warning.
....
Firefox's Answer To Ie's Phishing Filter?
users of the sacred browser can breathe once more! (5) SiteAdvisor - Firefox's Answer To IE's Phishing Filter? A site-warning plugin
for ie and firefox Name: Site Advisor Url: http://siteadvisor.com Download:
http://www.siteadvisor.com/download/ff.html Rating: 9.75/10 Improvements: Not all sites are on
their database but many of the popular ones are so index all webistes. SiteAdvisor is a simple and
easy to install extension created for firefox which checks to see if the site you are on is "bad"
from its database of urls. Once the results have reached your browser a notificatio....
Popular Applications Are Creating Holes In Your Os
photoshop and aol users were most at risk (21) Popular Applications Are Creating Holes In Your OS Nearly every computer owner nowadays
knows how to keep their computer safe by running regualar virus scans and keeping spyware scanners
up to date. Well researchers at Prinston University say that this is not enough. They have found
many popular applications which open doors up to allow various attacks. Among the discovered
culprits were Adobe Photoshop and AOL Instant Messengar . Fortuneately, these products which had
the worst written code out of all those which were found, have fixed their code. Earlier ....
Firefox 1.5 Flaws
For Microsoft User (22) I got this information from mailing list. yesterday I didn't know why my pc always heavy to be
loaded. and now i got the answer read Firefox Flaws For A Simple Way. if you use Mozilla
Firefox 1.5 as your default browser. type Ctrl+Alt+del or open Task Manager. You will see how much
memory being used by firefox. QUOTE(www.informationweek.com) On December 8, 2005, we published
a story that wondered: Firefox 1.5: Not Ready For Prime Time? In response, some 450 (and climbing)
InternetWeek, InformationWeek, TechWeb Pipelines, and Scot's Newsletter readers ha....
Firefox 1.0.7
... firefox! :D (14) To some this may seem a bit late. Firefox has released a new version that covers several critical
issues, and adds more stability. It is a wonderful alternative to Internet Exploer, and offers (in
my opinion) more security because it blocks most spyware. Article:
http://www.mozilla.org/products/firefox/releases/1.0.7.html Fixes:
http://www.mozilla.org/projects/security/k...es.html#Firefox Download:
http://download.mozilla.org/?product=firef...=win&lang=en-US ....
New Worm, M$ Users, Be Warned!
WORM_ZOTOB.D and WORM_RBOT.CBQ (11) New Virus is emerging. Microsoft users, be alerted!. This is one of the reason why i dont really
like M$ stuff, but still, i need it really much despite of its problems QUOTE Dear Trend
Micro customer, As of August 16, 2005 5:12 PM (Pacific Daylight Time; GMT-7:00), TrendLabs has
declared a Medium Risk Virus Alert to control the spread of WORM_ZOTOB.D and WORM_RBOT.CBQ.
TrendLabs has received several infection reports indicating that this malware is spreading in
Brazil and the U.S.A. WORM_ZOTOB.D is a memory-resident worm that drops a copy of itself in ....
Firefox Has A Big Time Security Flaw
better get the patch (3) just found out on yahoo news that firefox just got a nailed with a big security flaw so a new patch
is out right now for so better download or you might get hacked phreaked spammed and juice all at
the same time.....
Critical Firefox Exploits
How fast can they fix it... (16) Again 2 critical vulnerabilities where discovered/made public last weekend. Critical because
there's no patch yet.... a workaround is to disable javascript... This will be a nice test...
How fast can they fix it? Greetz, Rik©....
? Doesn't G-mail Notifier Work Wit Firefox?
??Why?? (15) Does anyone know ? g-mail Notifier doesnt work on Firefox? It doesnt log u in it jus takz u 2 tha
login PG. Do u know ?. I accually work @ Google so its embarrasin askin hre. ....
Another Firefox Security Update
Firefox v1.0.3 (6) Yes, another update. You can read the fixes at ZDNet or here at the Mozilla Release Notes .
Before installing v1.0.3 make sure that the directory you've chosen to install into is clean and
doesn't contain any previous Firefox installations! (known issue) Greetz, Rik©....
Firefox Security Update (firefox 1.0.2)
Released 23-03-2005 (14) Yesterday Mozilla (foundation) released another security update for Firefox. QUOTE(Mozilla
Foundation) March 23, 2005, (Mountain View, CA). The Mozilla Foundation, a non-profit organization
dedicated to preserving choice and promoting innovation on the Internet, today announced a security
update for its Firefox Web browser. The update is a proactive security release to patch a bug
identified by Internet Security Systems, a premier security research, products, and services
company. No known exploits of the bug have been reported prior to the update's release. ....
Firefox Content Enabling And Disabling
Content checking (1) Where can i find content checking enabling and disabling in firefox like it used to be in Internet
Explorer ? Is there any method to block a particular website by using password? What is the use
of profile setting in firefox. It has shown me only one time, since then I am not able to find
profile setting. Does my problem can be solved by using profile setting?....
Status Bar Spoofing In Firefox
(10) Hi /cool.gif' border='0' style='vertical-align:middle' alt='cool.gif' /> Now that Firefox
get's more popular each day people find more 'bugs' /dry.gif' border='0'
style='vertical-align:middle' alt='dry.gif' /> The next vulnerability was reported yesterday on
SecurityTracker.com: QUOTE A spoofing vulnerability was reported in Firefox. A remote user can
create HTML that, in certain cases, will spoof the status bar. A remote user can create HTML with
an A HREF link in a table, where the table is embedded within an A HREF tag. If the target user ....
Looking for interesting, firefox, bug, read, asap, ff, 2, 0, 02, users
|
*RANDOM STUFF*
*SIMILAR VIDEOS*
Searching Video's for interesting, firefox, bug, read, asap, ff, 2, 0, 02, users
*MORE FROM TRAP17.COM*
|
advertisement
|
|
