A pair of unpatched vulnerabilities in Mozilla's Firefox browser could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla says. By Gregg Keizer TechWeb News A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday. Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites. The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers. According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org. Read the rest of the article here.
This bug is actually not a Firefox vulnerability, but a bug in Mozilla.org's whitelist on their website. As a matter of fact, this bug was worked around by the Mozilla folks before it was even leaked to the public. 0-day exploit indeed Try and execute a proof-of-concept and you'll see what I mean. This from Secunia's own website, hidden away in a dark corner: NOTE: A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of vulnerability 1 and 2 to execute arbitrary code in the default settings of Firefox. Nothing to see here folks, move along... -AT