Attack code published for Firefox flaw

A hacker Tuesday published code exploiting a vulnerability found in Mozilla's Firefox 1.5.

A hacker Tuesday published code that exploits a vulnerability found in the latest version of the Mozilla's Firefox browser.

The code, which targets the Firefox 1.5 browser, was posted Tuesday on The Metasploit Project site at http://metasploit.com/archive/framework/msg00857.html by a hacker known as H D Moore. Metasploit is a widely used hacking tool.

Moore said that a hacker by the name of Georgi Guninski reported the flaw to the Mozilla Foundation on Dec. 6 of last year, and that he had simply implemented and posted the technique described by Guninski.

Mozilla published an advisory about the exploit last Wednesday as it released the Firefox 1.5.0.1 browser, which included a patch for the flaw. (http://www.mozilla.org/security/announce/mfsa2006-04.html). According to the advisory, the vulnerability, which had been rated as moderate, causes a corruption in the browser's memory that could be exploitable to run arbitrary code. Specifically, calling the "QueryInterface" method of the built-in Location and Navigator objects of the browser could allow a hacker to take over a Firefox 1.5 user's system by tricking the user into viewing a maliciously encoded Web page.

Hacker Aviv Raff on Tuesday criticized Mozilla on his blog (http://aviv.raffon.net/) for under-rating the flaw. He has blasted the open-source group in the past for downplaying the seriousness of vulnerabilities that have been found in its software.

"My guess is that they are waiting for an exploit in the wild before they are going to rate any exploitable memory corruption vulnerability as 'Critical'," Raff wrote Tuesday.

Chris Beard, vice president of products for Mozilla, said Tuesday that the company was not aware of any known exploits to the flaw when it published the advisory, and so rated the vulnerability as moderate. However, the flaw will now be reclassified as "critical" since there is a possibility for remote code execution, he said.

The only version of the browser that is affected by the flaw is Firefox 1.5; older versions do not appear to be vulnerable, according to Mozilla. Moreover, most Firefox 1.5 users should now have automatically downloaded the software patch, thanks to the built-in automatic updates that Firefox now uses.

Thunderbird 1.5, the latest version of the group's e-mail application, could be vulnerable to the flaw if JavaScript is enabled in mail, Mozilla's advisory also warned. However, JavaScript enablement is not a default setting in Thunderbird, according to Mozilla.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Elizabeth Montalbano

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?