ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Think vulnerabilities only happen in IE? Think again

John McCormick CNET News.com

Published: 12 Apr 2005 13:35 BST

New vulnerabilities are haunting Mozilla, Firefox, and Netscape browsers, while different threats have surfaced in Outlook and Internet Explorer. Meanwhile, IM and P2P threats surge.

Details
Secunia has reported, and Mozilla has confirmed, an information disclosure vulnerability in the Firefox browser — including the latest update (version 1.0.2), which is only a few weeks old (released March 21). In fact, troubles for the increasingly popular browser are coming so fast and furious that mozillaZine has reported that a new Firefox release candidate has already replaced the Firefox release candidate 1.0.3, which became available on April 5.

Mozilla released the new release candidate (also designated 1.0.3) the very next day. Be forewarned that this release candidate 1.0.3, and probably the eventual release version as well, is likely to cause problems with a number of extensions.

Below are links to Secunia's reports about each threat:

The information disclosure vulnerability exposes random memory areas to malicious Web sites, and users would never be aware of it. As you would expect, it's mostly ASCII garbage, but there are definitely real information disclosures too, so this is a very real threat.

Secunia offers a Mozilla Products Arbitrary Memory Exposure Test to help you determine if your system is vulnerable to the new vulnerability. Using IE6, I went to the site and found no problem, but Firefox was definitely exposing arbitrary chunks of my memory. So if you're using Firefox, Mozilla, or even Netscape, I highly recommend running a quick test from Secunia's Web site.

Another recent report, this one coming from SecuriTeam.com (and credited to mikx), appears very similar, and it almost certainly refers to the same vulnerability discussed in the Secunia reports. (Secunia doesn't list MITRE CAN designations, so I can't be certain.) Below are links to the CVE reports.

Unfortunately, SecuriTeam.com has published links to proof-of-concept code. Dubbed Firescrolling, Fireflashing, Firetabbing, and Firedragging, all of these threats involve Java-based attacks.