| By Security News Desk | Article Rating: |
|
| May 9, 2005 03:00 PM EDT | Reads: |
13,889 |
A security flaw that allows a malicious site to execute arbitrary code on a user's system has been discovered in Mozilla Firefox, Mozilla has reported. It appears to be the first "Extremely Critical" Firefox flaw logged by Secunia, Mozilla says.
The advisory explains that a successful attack involves exploiting two flaws: one involves tricking Firefox into thinking a software installation is being triggered by a whitelisted site, while the other relies on the software installation trigger not sufficiently checking icon URLs containing JavaScript code. The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds) eliminates the problem.
As the story was posted, Mozilla had not yet issued a patch. The only workaround it recommends is to disable Javascript.
If there's schadenfreude in Redmond, then there are big smiles. Firefox has been slowly eating away at Microsoft IE's market share, due in large part to its reputation as a safe browser not susceptible to the security flaws routinely found in Microsoft's dominant program.
Initial feedback at Mozilla's website was mixed. Where one poster pronounced himself "extremely disappointed," another said that "the press will hype up any security issue, (and) not necessarily in proportion to the severity and impact of it." With more than 50 million downloads of Firefox claimed by Mozilla, it's not doubtful that the browser becomes a more tempting target for bad guys and a better-debugged program by dint of the sheer mass of the increasing number of people who use it.
Published May 9, 2005 Reads 13,889
Copyright © 2005 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Security News Desk
SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.
![]() |
Jason in Quesnel 05/14/05 12:27:34 AM EDT | |||
I think it's funny that the first "extremely critical" security flaw is related to a feature invented by Microsoft -- a feature that I turned off immediately upon installing Firefox. Seriously, if you turn on a feature like this, you might as well put a sign on your butt that says "Kick me" and bend over. |
||||
![]() |
Seairth Jacobs 05/12/05 10:09:00 AM EDT | |||
Version 1.0.4 is already out and addresses all of those issues. (http://www.getfirefox.com) |
||||
May. 16, 2018 02:15 PM EDT |
By Yeshim Deniz May. 16, 2018 01:15 PM EDT |
By Liz McMillan The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...May. 16, 2018 12:45 PM EDT Reads: 10,764 |
By Yeshim Deniz May. 16, 2018 12:30 PM EDT Reads: 3,183 |
By Elizabeth White May. 16, 2018 11:45 AM EDT Reads: 2,805 |
By Pat Romanski May. 16, 2018 11:30 AM EDT Reads: 2,941 |
By Yeshim Deniz May. 16, 2018 11:15 AM EDT Reads: 2,525 |
By Liz McMillan May. 16, 2018 11:00 AM EDT Reads: 2,733 |
By Liz McMillan May. 16, 2018 10:30 AM EDT Reads: 2,838 |
By Pat Romanski May. 16, 2018 10:15 AM EDT Reads: 2,460 |



The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...






























