Two critical holes in Firefox plugged
With versions 2.0.0.16 and 3.0.1, the developers plug two security holes in Firefox that they categorised as critical. These versions will be offered soon via the built-in update mechanism and will also show up on the download sites.
One of the holes is based on the behaviour that several URLs separated by the pipe symbol can be can be passed to Firefox when it starts up and opened under different tabs.
firefox 'http://heisec.de|ix.de'
This can be exploited to circumvent security features that prevent access to special URIs, such as chrome:. That means, for instance, that scripts could end up having complete access to the system. The workaround that the developers offered seemed almost tongue-in-cheek. Since the attack will only succeed when Firefox is starting up, their recommendation is, "Using Firefox ... prevents attack"
The other hole is related to a possible buffer overflow in a reference counter for CSS objects. This is likely the same problem reported nearly a month ago – under certain circumstances it can be used to inject and execute code. This problem also affects the Thunderbird mail client. But it is only effective in that program when the user activates JavaScript execution. JavaScript is switched off by default and even without this vulnerability, activation is unwise, since it leaves the door wide open to abuse.
See also:
- Firefox 2.0.0.16 release notes
- Security advisories for Firefox 3.0
- Remote code execution by overflowing CSS reference counter, Mozilla security announcement
- Command-line URLs launch multiple tabs when Firefox not running, Mozilla security announcement
(trk)