Firefox Exploit

Hobbes

Just heads up for anyone who doesn't read Mozillazine. There currently exists an exploit in Firefox. Fix is in progress (as well as mozilla website changed to mitigate the exploit).

Anyway quick and short of it is if you are worried, disable javascript until the next patch. Tools->Options menu, select web features and then switch off javascript.

The exploit requires that you whitelist the site in question that wants to install the exploit.

http://www.mozillazine.org/
http://secunia.com/advisories/15292/

Another (probably better) solution is to switch off the ability for websites to install software on your machine, and blank the whitelist (overkill).

causal

Just to make this easy if you're not too familiar with Firefox (like me)

Navigate to: Tools > Options > Web Features

Personally, I have unchecked (i.e. disabled):
- Allow websites to install software
- Enable Java
- Enable Javascript

causal

aidan_walsh

Java is not the same as Javascript (the fact that people think it is, and still spread this disinformation makes me weep sometimes), you won't need to disable that.

causal

aidan_walsh wrote:

Java is not the same as Javascript (the fact that people think it is, and still spread this disinformation makes me weep sometimes), you won't need to disable that.

I never said nor implied that Java was Javascript :mad:
I disabled Java because it can be used to get your internal IP address.

causal

Infini

Here as well.
http://informationweek.com/story/showArticle.jhtml?articleID=163100338
Also you can disable the allow websites to install plugins feature in the web Features section. Wouldn't that help?

causal

To see why you should consider disabling Java in your browser:

Go here http://www.auditmypc.com/whats-my-ip.asp
- try it with Java enabled
- then try it with Java disabled

Note that certain browser functions won't work when you disable the items I described in my earlier post.

causal

Syth

Firefox doesn't let the user install stuff unless they explicitly allow a site to install software. I don't know if it's possible to allow any site to install software (maybe using wildcards in the 'allowed sites' field), but then again you'd have to go out of your way to do it. My worry level is low.

jman0

Syth wrote:

Firefox doesn't let the user install stuff unless they explicitly allow a site to install software. I don't know if it's possible to allow any site to install software (maybe using wildcards in the 'allowed sites' field), but then again you'd have to go out of your way to do it. My worry level is low.

You should read about the security hole

"According to MozillaZine an independent Mozilla news, community and advocacy site. The second flaw is more serious and involves the software installation dialogue, which is used to ask the user if they wish to install software (such as an extension) from a website.

“In Mozilla Firefox (but not the Mozilla Application Suite), this dialogue can include an icon, which is supplied by the site as a URL to an image file. Due to insufficient checking, this icon URL can actually be a piece of JavaScript code, which is run with no further prompting. As this code actually runs from the software installation dialogue, rather than a webpage, it is executed with 'full chrome privileges', meaning that it can do anything that the user running Firefox can, including installing software or deleting files. This is the more serious flaw, allowing arbitrary software execution, and only affects Mozilla Firefox. It can prevented by disabling software installation"
http://www.pocket-lint.co.uk/news.php?newsId=1196

Syth

Oh my bad. Wow, pretty impressive exploit.