Critical Flaw Found in Firefox

Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.


The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

http://news.yahoo.com/s/pcworld/120756

Oh shit.

I have already had to wipe out the information on my computer once this year inorder to get rid of all the crap..I don't want to have to do it again..

in your browser task bar, you need 1.0.3 for security fixes

Thanks (I feel so stupid when it comes to this crap sometimes).

:/

Just wondering.

Tools---->Options---->Web Features---->Enable/Disable JavaScript

If you agree to installation dialogs that just randomly appear, then I guarantee you have bigger problems than anything Javascript could cause.

most definitely...

Once I actually read the article in full and saw the way this would be exploited... well, they're idiot traps, for the most part. Bad if you fall into one, but as usual e-mail popups probably will end up snaring a lot more people.

Thanks for the advice, though if I hold off I'm going to a) be extra careful, b) patch as soon as I can.

If the user account has admin privileges, you could still be vulnerable to registry edits w/o user knowledge.

(if they are talking about "DSO Exploit")

You can download a patch, and you can set it up to protect your computer: (I think it will work regardless of Firefox):

http://www.nsclean.com/dsostop.html

They need to divert attention from the myriad of holes in their own crap.

If you've already installed the malicious software on Windows, then it can do anything it wants. Why would an attacker try to even use Firefox to do the deed at that point?

That's why actual attacks via Firefox haven't come about. It's like building a Trojan horse, and when the victim accepts it you come out and attack with butter-knives and thumbtacks (Javascript).

"users may be vulnerable if they have added other sites to the whitelist"

So you add a sleazebag site to your installation whitelist and you still want Firefox to protect you from it?

WhatEVER.

You're not vulnerable as long as you haven't added sites to the Allow web sites to install software option

To get there click Tools -> Options -> and look at the Allowed Sites for software installs. Mine only has update.mozilla.org which they supposedly patched.

Goes to show you there are going to be flaws in every software package. The more popular it is... the more people try to hack it.

Makes you feel safe with e-voting huh?

Will it prevent this problem?

And also make sure you don't add any sites to your whitelist for installation. If you don't have any whitelisted sites, everysite that tries to install something has to ask first. Only an idiot would say yes to a random installer.

I'll bet 10 brownie points Mozilla fixes it by the end of the week.

Nor does it detect any problems. :-(

to fix this problem.