Multiple Mozilla flaws expose personal data

Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open source browser.

Details of the nine vulnerabilities were published on Mozilla's security Web site over the weekend.

Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said most of the vulnerabilities are based around the way the applications handle Javascript.

"There are some permission issues related to running javascript at an escalated privilege level. They remove some of the security measures used to keep javascript sandboxed and allow it to potentially do malicious things to your computer," said Latter.

Latter said another issue could allow malicious scripts to gain access to random pieces of memory.

"This random memory may or may not contain pieces of information about where you have been browsing. The worst case scenario is that it could contain some personal or login information," said Latter.

According to the French Security Incident Response Team (FrSIRT), attackers can potentially run malicious code on a users' system because of a flaw in the Mozilla browser's pop-up blocker.

The FrSIRT advisory said: "When a popup is blocked the user is given the ability to open that one popup... If the popup URL were javascript: selecting 'Show javascript:...' from the infobar or popup blocking status bar icon menus would run the javascript with elevated privileges, which could be used to install malicious software".

Another of the Firefox flaws can be exploited when a user visits a Web page that requires a plug-in that has not already been installed. The FrSIRT advisory claims that if the browser's Plugin Finder Service is used to automatically find an appropriate plugin, the 'manual install' function can be used to "launch arbitrary code capable of stealing local data or installing malicious code".

All versions of Mozilla Suite prior to version 1.7.7 and all versions of Firefox prior to 1.0.3 are vulnerable.

Pure Hacking's Latter advises users to either disable Javascript or download a patched version from Mozilla's Web site.

Advertisement

Print feature brought to you by Hewlett Packard

Talkback 3 comments

    Firefox is now as vulnerable as Internet Explorer :-( these flaws are really criticalAnonymous -- 18/04/05

    Firefox is now as vulnerable as Internet Explorer :-(

    these flaws are really critical

    At last the world is starting to realise that firefox os not only no safer, but in fact, more "hackable" than IE.Anonymous -- 19/04/05

    At last the world is starting to realise that firefox os not only no safer, but in fact, more "hackable" than IE.

    > At last the world is starting to realise that firefox os not only no safer, but in fact, more "hackable" than IE. Actually, IE is not "hackable" at all (unless you work for Microsoft). The source code for it is not availAnonymous -- 19/04/05

    > At last the world is starting to realise that firefox os not only no safer, but in fact, more "hackable" than IE.

    Actually, IE is not "hackable" at all (unless you work for Microsoft). The source code for it is not available to the general public. So, you are correct on that point - FF is definitely more "hackable".

    As for "safer", don't fool yourself with fancy words. Security is a process, not a solution. One has to apply security measures constantly, as new ways of cracking software (bar things like qmail, which have never been penetrated) are found daily. This latest release of FF shows that. Fortunately, white hats have once again been faster than the black hats. Who knows, maybe it even has something to do with open source...

    The main problem remains the same, however. Microsoft aren't interested in security. They are interested in money out of your pocket for the new version of Windows, Office and whatever else. They only work on security related issues because they have to (bad press and some such). Otherwise, how many testers and programmers can $40G+ in the bank buy to fix IE? Lots. And yet, they have no intention of actually fixing design and implementation shortcomings of that browser.

    It is a shame that a handful of hackers that do FF have a better security record than Microsoft. By any measure, IE should be a much better tool than FF.

Add your opinion


Latest Videos

Blogs

  • Chris Duckett PayPal launches Aussie developer program
    PayPal announced the opening of its certification program for Australian developers today, making Australia the first country outside of the US to offer certification.
  • Array Cash cow in a BigTinCan?
    Around one third of Australia's telcos have shut their doors over time, but that isn't stopping new ventures hoping to chip away at carriers' mobile call bonanza. By fighting carriers at the smartphone rather than the home phone, could the latest two contenders be onto something big?
  • Array A third of the way to a zettabyte
    This week on Twisted Wire we look at how internet usage is changing in Australia and around the world. How are we meeting this demand and how is the cost structure changing for the service provider?
  • More blogs »

Tags

  1. 5 articles are tagged with 3g s
  2. 7 articles are tagged with 3gs
  3. 430 articles are tagged with accc
  4. 73 articles are tagged with act
  5. 1253 articles are tagged with apple
  6. 130 articles are tagged with ato
  7. 35 articles are tagged with audit
  8. 7 articles are tagged with bartlett
  9. 19 articles are tagged with basslink
  10. 1260 articles are tagged with broadband
  11. 194 articles are tagged with budget
  12. 8 articles are tagged with cenitex
  13. 203 articles are tagged with ceo
  14. 53 articles are tagged with cepu
  15. 640 articles are tagged with cio
  16. 191 articles are tagged with conroy
  17. 119 articles are tagged with contract
  18. 51 articles are tagged with e-health
  19. 1021 articles are tagged with google
  20. 969 articles are tagged with government
  21. 765 articles are tagged with hp
  22. 1274 articles are tagged with ibm
  23. 124 articles are tagged with internode
  24. 337 articles are tagged with iphone
  25. 268 articles are tagged with isp
  26. 1423 articles are tagged with microsoft
  27. 33 articles are tagged with minchin
  28. 1101 articles are tagged with mobile
  29. 325 articles are tagged with mobile phone
  30. 146 articles are tagged with national broadband network
  31. 257 articles are tagged with nbn
  32. 167 articles are tagged with new zealand
  33. 837 articles are tagged with optus
  34. 705 articles are tagged with oracle
  35. 143 articles are tagged with police
  36. 152 articles are tagged with queensland
  37. 292 articles are tagged with sap
  38. 139 articles are tagged with smartphone
  39. 1271 articles are tagged with software
  40. 134 articles are tagged with stephen conroy
  41. 159 articles are tagged with sydney
  42. 93 articles are tagged with tasmania
  43. 216 articles are tagged with telco
  44. 2278 articles are tagged with telstra
  45. 125 articles are tagged with tender
  46. 98 articles are tagged with union
  47. 151 articles are tagged with victoria
  48. 315 articles are tagged with vodafone
  49. 443 articles are tagged with voip
  50. 72 articles are tagged with windows 7

Back to top

Featured