Severity: Medium
27 November, 2007
Summary:
Late yesterday, the Mozilla Foundation released an update fixing three security vulnerabilities in Firefox 2.0.0.x, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious web page, an attacker could potentially exploit the worst of these vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.10 at your earliest convenience.
Exposure:
Yesterday, the Mozilla Foundation released Firefox 2.0.0.10, fixing three security vulnerabilities in the popular web browser. We summarize the vulnerabilities below:
- Three memory corruption vulnerabilities (2007-38). Firefox suffers from three unspecified crash bugs, which corrupt memory. Mozilla presumes that with enough effort some of these memory corruption flaws could be exploited to run arbitrary code. To exploit these flaws, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute code on that user’s machine, with that user’s privileges. If your user were a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
- Java archive-handling XSS vulnerability (2007-37). A Java Archive (JAR) file is a package that contains in one, compressed file all the individual components used to make up a Java applet (similar in concept to a ZIP file). In order to support digitally signed web pages, Firefox supports a special “jar:” URI handler so that Firefox can process JAR signatures that have been packaged in a zip archive. A security researcher named Petko D. Petkov (a.k.a. pdp) discovered a Cross-Site Scripting (XSS) vulnerability within Firefox’s JAR handling feature. By enticing one of your users into clicking a specially crafted link, an attacker could exploit this vulnerability to execute code on your user’s computer with the same trust (privileges and permissions) you have given to another (legitimate) web site. This allows the attacker to do anything from stealing your user’s cookies to executing malicious scripts with elevated privileges. If you’d like more detail on this complex attack, check out pdp’s advisories [ 1 / 2 ]. For more general understanding of XSS attacks, see our article, “Anatomy of a Cross-Site Scripting Attack.”
- HTTP-referer spoofing vulnerability (2007-39). Gregory Fleischer discovered a race condition vulnerability that allows attackers to spoof the HTTP-Referer header in a web request. Some web sites check the information in HTTP-Referer headers in order to help protect themselves against Cross-site Request Forgery (CSRF). If an attacker can spoof the HTTP-Referer header, he can defeat this protection mechanism.
Solution Path:
Mozilla has updated Firefox, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.10 as soon as possible. Mozilla no longer supports the 1.5.x branch of Firefox. We recommend that 1.5.x users migrate to 2.0.0.10 now.
Note: The latest versions of Firefox 2.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to automatically download and install the update, or to merely inform the user that the update exists.
For All WatchGuard Users:
Some of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
The Mozilla Foundation has released Firefox 2.0.0.10, fixing these security issues.
