About RSS
Search for: in 

Windows Watch - an XP & Vista blog

Security experts have warned of a potentially serious flaw in the way that Mozilla's Firefox browser handles JavaScript
A flaw in Firefox could allow attackers to take control of a system through a specially crafted web page
R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from vnunet.com

Free email newsletters




Jargon Buster

ADVERTISEMENT

JavaScript flaw threatens Firefox

Unpatched vulnerability could allow remote code execution

Shaun Nichols in California, vnunet.com 03 Oct 2006
ADVERTISEMENT

Security experts have warned of a potentially serious flaw in the way that Mozilla's Firefox browser handles JavaScript.

Two independent researchers outlined the vulnerability in a presentation over the weekend at the ToorCon hacker conference.

The pair claimed that the vulnerability could allow attackers to take control of a system through a specially crafted web page.

Mozilla security chief Window Snyder said in a blog posting on the Mozilla developer site that it is possible to force browser crashes using the vulnerability. 

Snyder did not confirm that the flaw could be exploited to allow remote code execution.

The vulnerability affects the 'chrome context' component of Firefox, according to Eric Sites, vice president of research and development at security vendor Sunbelt Software.

"Chrome context provides certain trusted code such as JavaScript with full access to Firefox's resources," Sites told vnunet.com.

"If a script gets into that chrome context, then it's just like you copied that script to your computer and ran it with no restrictions whatsoever." 

Although there are no known exploits of the vulnerability, Sites warned that the flaw could be included in the WebAttacker toolkit which provides malware authors with an automated tool to craft new worms and viruses.

"We have already seen [WebAttacker] JavaScript exploits targeted at Firefox, so I am sure these guys will be picking up these scripts and implementing them in WebAttacker pretty quickly," he said.

Sites compared the impact of the Firefox vulnerability to the ActiveX software zero-day exploits that hit Microsoft's Internet Explorer in the past week.

In two separate incidents, attackers used an unpatched vulnerability in Explorer to execute arbitrary code. Microsoft rushed out a patch for the VML flaws last week, but the ActiveX flaw remains unpatched. 

The open source status of Firefox allows its developer community to quickly create a patch once a solution has been found, but Sites warned that the vulnerability is still "pretty dangerous" to users.

"One thing that Mozilla has going for it is an interesting framework that allows for sending out updates very quickly," he said.


All Bugs & Fixes

Like this story? Spread the news by clicking below:

Post this to Delicious del.icio.us    Post this to Digg Digg this    Post this to reddit reddit!

Permalink for this story
R E A D E R   C O M M E N T S
Post your comment Post your comment   What is this?

M A R K E T P L A C E
Sponsored links
F E A T U R E D   J O B S
Install and Configuration Engineer
London, United Kingdom | Agile Ideas Ltd
Install and Configuration Engineer, London, £38,000 (inc bens) The role is to provide a technical engineer who is responsible for installation and configuration controls of a software product (aCP). aCP is an outcome based strategy ... more >
Project Manager
Buckinghamshire, United Kingdom | Grass Roots
Project Manager, Aylesbury, Buckinghamshire, Excellent Salary + Benefits Grass Roots are one of the Sunday Times Top 100 companies to work for (2007 and 2008). Established in 1980, we're part of the Grass Roots Group, ... more >
SAN / Storage Lead - EMC
Milton Keynes, Buckinghamshire, United Kingdom | EDS
Short Description: Enterprise Labs is the standard organisation to facilitate all non-production server environments within the corporation. Housing multiple clients both internal and external the EMEA facility will be an extremely busy and packed environment ... more >
Project and Portfolio Managers
London, United Kingdom | ACAS
Project and Portfolio Managers, London, £35,847 - £46,357 The Advisory, Conciliation and Arbitration Service (ACAS) is a publicly-funded body with over 30 years experience of working with employers, employees and trade unions to deliver better ... more >
More job opportunities
Join our fight for a fair deal when shopping online
Useful links: About us . Privacy policy . Terms & conditions . Site map . Bookmark this site . Advertise
Consumer Technology websites:
Active Home Product reviews, competitions, news
Computeractive Software reviews, hardware reviews, buyers' guides, workshops, downloads
Gizmodo the daily gadget blog: technology news and reviews
PC Magazine your personal guide to technology
PCW software product reviews, hardware product reviews, buyers' guides, competitions
WebAct!ve what's happening on the web
What PC? helping you purchase the right computer, digital camera, peripherals, gadgets and more
Blogs:
Test Bed The PCW Labs blog, PCW Inter@ctive A reader blog from PCW. Your views, your comments, your say, Windows Watch Keeping an eye on the latest XP % Vista news
Jobs & Recruitment websites:
Accountancy Age Jobs Accountant jobs, jobs in finance, audit jobs, cima jobs, acca jobs, corporate finance jobs, management accounting jobs, finance director jobs, finance recruitment agency directory, Top 50 accountancy firms, accountant salary survey
Computing Careers IT jobs, Programmer jobs, Developer jobs, IT manager jobs, Project manager jobs, SAP jobs, Oracle Jobs, Java Jobs, IT recruitment agency directory, Top IT Employers 2005
Inquirer Jobs Software Engineer Jobs, firmware developer jobs, electronics engineer jobs
Other titles in the Incisive Media network:
Business Technology websites: BusinessGreen . Computing . Computing Business . CRN . The Inquirer . IT Week . vnunet.com
Business & Finance websites: Accountancy Age . Best Practice . Financial Director . Management Consultancy
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503
Loading...

ADVERTISEMENT