--get your your Linux knowledge
> Linux Reviews > News and headlines > 2005 News archive > May >

Firefox users should disable software extension installation.

The Mozilla Foundation has become aware of two potentially critical vulnerabilities in the popular Firefox web browser if software extension installation is allowed.

There is currently no known active exploits, but proof of concept examples are available to every black-hat with half a braincell, so it is inevitable that someone will abuse them.

Updates to Firefox are not yet available. The foundation is working actively to make a security update available.

One of the flaws allows iframe javascript locations to be executed in the context of any other URL present in the browsers history list. In simple terms, the site you are visiting can run javascript claiming to be part of any site you have previously visited. This can be used to steal cookies containing login information.

The other flaw allows InstallTrigger.install(), used to install third party extentions, to pass information to the IconURL without verifying it. This may sound trivial, but it is quite serious: It can in a worse case scenario be used to gain limited user privileges on the system. The Mozilla Update service has been changed to minimize the risk of an exploit, but this may prove to be a big security risk when installing extensions from third party sites regardless.

The combination of these problems may be lethal if you install any extensions with the current 1.0.3 version of Firefox: If you have allowed the browser to install software and whitelisted the official sources then third party sites can still install extensions by pretending to be the official update site.

A very simple solution is available:

Edit -> Preferences -> Web Features -> Disable "Allow web sites to install software" and Disable Javascript from the same tab.

The Firefox browser is growing in popularity and a new European site has been created. is localized in 15 languages and aims to convince the people of Europe to use the Firefox and other Mozilla products. Kind of bad timing to release a promo site when known security risks have no cure...?

News and headlines

Meet new people