Web kiloseven.blogspot.com
www.arrl.org www.eham.net

2005-05-08

[Infosec] Fix Your Firefox - New Weakness Requires Changing Configuration

FSIRT (the French Security Incident Response Team) has announced a critical 0-day vulnerability in Firefox 1.0.3, and published working exploit code.

This exploit allows an attacker to execute random code. If a user visits a malicious page and clicks anywhere on the page, the exploit code can create and execute a malicious batch or .exe file that contains code of the attacker's choosing. Mozilla has not yet released a final patch, but they do have a workaround and an interim patch available.

Until the patch is released, you can avoid the problem by clicking on Tools | Options | Web Features and disabling "Allow web sites to install software". Obviously, that's a good idea anyway. It would also be a good idea to disable Javascript for routine browsing.

Linux systems do not appear to be vulnerable to this exploit, because merely using an executable filename extension such as .bat or .exe does not make a file executable under Linux. So, although the exploit code can still write a batch or .exe file with malicious code, that code cannot execute.

RBT
--
Robert Bruce Thompson
Author, O'Reilly's PC HARDWARE IN A NUTSHELL and BUILDING THE PERFECT PC, among others.