AlbertPacino
Skilled
The advisory explains that a successful attack involves exploiting two flaws: one involves tricking Firefox into thinking a software installation is being triggered by a whitelisted site, while the other relies on the software installation trigger not sufficiently checking icon URLs containing JavaScript code. The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds) eliminates the problem. We understand that a change made to Mozilla Update has made the vulnerability effectively unexploitable if you only have update.mozilla.org and addons.mozilla.org in your software installation whitelist (accessible from the Web Features or Content panel in the Options/Preferences window), which is the default setting.
The vulnerability was discovered by Paul of Greyhats Security Group and Michael "mikx" Krax. Paul has written a detailed technical explanation of how the exploit works. On a specially crafted page, the attacker first uses frames and a JavaScript history flaw to make it appear that a software installation is being triggered from addons.update.mozilla.org, one of the few sites allowed to install software by default. With this hurdle out of the way, the attacker can attempt to do some real damage. One of the parameters passed to the software installation method is an icon URL, which can be a piece of JavaScript code. As this JavaScript is executed from the chrome (the browser user interface rather than a Web page), it has 'full chrome privileges' and can do anything that the user running Firefox can. The attacker can therefore pass in some malicious JavaScript and run arbitrary code on the victim's system.
The vulnerability requires the attacker to trigger an install that appears to come from a whitelisted site. Fortunately, the Mozilla Foundation controls all of the sites in the default software installation whitelist, which has allowed them to take some preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain. We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk.
Paul and mikx reported the vulnerability to the Mozilla Foundation and bug 292691 was filed on Monday 2nd May. In line with the Mozilla security bugs policy, access to the bug report was restricted to members of the security team. However, somebody else found out and leaked the details of the exploit. The French Security Incident Response Team (FrSIRT) was one of the first security companies to publish an advisory based on the leaked information. In a message to the Full Disclosure mailing list, Paul criticised the individual who leaked the details of the Firefox code execution exploit, condemning his or her actions as "inconsiderate" and "irresponsible". Since the exploit became public knowledge, several duplicate bug reports have been filed, including bug 293302.
We anticipate that the Mozilla Foundation will release a Firefox 1.0.4 update shortly.
mozillazine.org
do-not-add.mozilla.org
Instructions for Manually Installing Extensions and Themes