All the latest UK technology news, reviews and analysis
|
|
|
03 Oct 2006
Security experts have warned of a potentially serious flaw in the way that Mozilla's Firefox browser handles JavaScript.
Two independent researchers outlined the vulnerability in a presentation over the weekend at the ToorCon hacker conference.
The pair claimed that the vulnerability could allow attackers to take control of a system through a specially crafted web page.
Mozilla security chief Window Snyder said in a blog posting on the Mozilla developer site that it is possible to force browser crashes using the vulnerability.
Snyder did not confirm that the flaw could be exploited to allow remote code execution.
The vulnerability affects the 'chrome context' component of Firefox, according to Eric Sites, vice president of research and development at security vendor Sunbelt Software.
"Chrome context provides certain trusted code such as JavaScript with full access to Firefox's resources," Sites told vnunet.com.
"If a script gets into that chrome context, then it's just like you copied that script to your computer and ran it with no restrictions whatsoever."
Although there are no known exploits of the vulnerability, Sites warned that the flaw could be included in the WebAttacker toolkit which provides malware authors with an automated tool to craft new worms and viruses.
"We have already seen [WebAttacker] JavaScript exploits targeted at Firefox, so I am sure these guys will be picking up these scripts and implementing them in WebAttacker pretty quickly," he said.
Sites compared the impact of the Firefox vulnerability to the ActiveX software zero-day exploits that hit Microsoft's Internet Explorer in the past week.
In two separate incidents, attackers used an unpatched vulnerability in Explorer to execute arbitrary code. Microsoft rushed out a patch for the VML flaws last week, but the ActiveX flaw remains unpatched.
The open source status of Firefox allows its developer community to quickly create a patch once a solution has been found, but Sites warned that the vulnerability is still "pretty dangerous" to users.
"One thing that Mozilla has going for it is an interesting framework that allows for sending out updates very quickly," he said.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Java / J2EE analyst programmer with experience of building...
Crystal Reports Developer London or Dublin £340 per day...
Our client is a major Broadcasting company seeking a...
Support Engineer required to work for leading Online...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Security Issues Rise Again...
Here is what I find curious, and so much so that few if any know of a recent think tank formed on the east coast that has plans to track the next outbreak of software and hardware viral attacks. It was noticed back in the recent days of the m_blaster worm that tech sales were in a terrible slump, much as they are as of this day and the writing of this story, and what a better way to spur sales of hard items than to have them mysteriously debilitated by some eronious viral attack. Well, not this time, as there are some that have set up on the sidelines and are anxiosly awaiting the next outbreak, becuase while the technology community are very good indeed at what they do, the intelligence community is even more in tune, and anonmity is afforded programmers only to a degree.
Posted by: A.L. McLaughlin 03 Oct 2006