Mozilla recommends its users temporarily disable Javascript in the browser until a fix is released.
More details of the two potential vulnerabilities in the Firefox browser emerged yesterday.
The first exploit aims at the browser's javascript:url function. This could be used to go back to a site previously visited in the browser. Once there, the exploit could be used to steal cookies or other personal data.
This exploit affects Firefox and the Mozilla suite.
The other problem focuses on exploiting the browser's automated install function. The default setting allows the browser to ask the user to confirm an install, but only when the request comes from the default Mozilla site.
An attacker could use a javascript:url as the package icon from any malicious site. This would cause the confirmation dialog box to appear, and a careless user who allows the install to go forward would be affected by whatever code is in the package.
The Mozilla Foundation has updated its servers to protect against the install exploit. They advise users to "Remove All Sites" from the "Allow web sites to install software" portion of Allowed Sites.
Javascript should be disabled in both Firefox and the Mozilla suite until fixed versions of the browsers become available.
David Utter is a staff writer for WebProNews covering technology and business. Email him here.
The MUST HAVE Magazine Of Firefox Add-OnsMozilla Seeks World Record Firefox DownloadsFirefox Spike Re-igniting Browser WarsFirefox 3 Receives Early Vulnerability ReportFirefox 3 Beta 4 Brings Lots Of UpdatesFirefox Download Day Starts After DelaysFirefox Causes AdSense WoesNew Firefox Busts Out Of The DenFirefox Blush At Browser Protection AdFirefox Tops 100 Million With Google's Help
Comments
Post new comment