The Mozilla Foundation has moved quickly to patch three critical issues in its browsers that were discovered just last weekend.
FireFox 1.0.4 and Mozilla 1.7.8 were released today to patch vulnerabilities that could have allowed malicious users to execute arbitrary code.
Mozilla Foundation Security Advisory 2005-43 describes one of the flaws as “Wrapped javascript: urls bypass security checks.” Security checks that were part of the Mozilla browser that were intented to prevent unknown script injection could actually be bypassed allowing a hacker to executive arbitrary code or even for a cross-site scripting attack.
Mozilla Foundation Security Advisory 2005-41 and Mozilla Foundation Security Advisory 2005-44 are described as privilege escalation attacks via DOM and non-DOM property overrides. These flaws allowed a malicious user to steal data or install arbitrary code simply by have a user open a context menu or open a link. A privileged “chrome” user interface code was blamed as the cause.
In the updated browser versions, Mozilla said it has added additional checks to make sure that script objects and javascripts objects” are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them.”
The Greyhats Security Group first exposed the flaws over the weekend. The Greyhats noted that an attacker could utilize the flaws to make it appear that a software installation is being triggered from add-ons.update.mozilla.org.
“A proof of concept of the vulnerabilities was reported last weekend (Mother’s Day weekend) and Mozilla immediately took action to prevent active exploits via changes made to the Mozilla Update web service,” a Mozilla posting said. “We also posted a work around so users can further protect themselves by temporarily disabling automatic install from a Web site.”
The development has caught some attention in the blogosphere thanks to a post about the security issue from a blogger for Microsoft — itself no stranger to security problems and patches.
In a recent post, Dean Hachamovitch, Internet Explorer’s IE Product Unit Manager, wrote that browser security is an industry problem — in a bid to adjust the script usually that casts the issue as Microsoft vs. Mozilla, or us versus them.
“It’s not limited or unique to operating systems or applications, or client or server software, Hachamovitch wrote of the security theme. “It’s not limited or unique to commercial software or open source.
“The only us versus them distinction I want to make around security is to put responsible software developers, security researchers, and customers together as ‘us’ and malicious (whether it’s intentionally or not) software developers, security researchers, and their customers together as ‘them.'”
The IE blog comments were in contrast with less than conciliatory comments in March by IE developer Dave Massy.
At the time, Massy’s comments were a rebuttal to earlier comments made by Mozilla Foundation President Mitchell Baker, who claimed Mozilla would always be more secure than IE because Microsoft’s browser is too tightly wound into the Windows operating system.
Microsoft’s dominant IE browser has traditionally been the principal target of hackers to expose a seemingly unending string of vulnerabilities. Given the chance to gloat over a competitor’s similar security issues, IE’s developers, in this case at least, apparently chose to pass.
The 1.0.4 FireFox update is the fourth time that the upstart open source browser has had to update this year due to publicly disclosed
vulnerabilities.
The 1.0.3 version released in mid-April fixed Javascript flaws that were first exposed by a Russian security researcher. In March, version 1.0.3 was released, which patched three known vulnerabilities. In February the 1.0.1 version was issued to spoofing and phishing issues.
