Security holes creep into Firefox

With a blockbuster 50 million downloads since its launch, web browser Firefox now seems to be heading the Internet Explorer way by developing serious security holes.

  • E-Mail
By  Chris Fernando Published  May 10, 2005

With a blockbuster 50 million downloads since its launch, web browser Firefox now seems to be heading the Internet Explorer way by developing serious security holes. Security research company Secunia has stated on its web site that two vulnerabilities found in the popular browser and Mozilla Suite can mean serious trouble for its users. The flaws can be exploited to conduct cross-site scripting attacks that compromise users’ systems. Though the Mozilla Foundation has issued an advisory explaining the vulnerabilities and what measures to take to work around them, it maintains that there are currently no known active exploits of these exposures. In Mozilla Foundation Security Advisory 2005-42, Mozilla.org explains that the exploit could make use of javascript: url code to navigate back to a previously visited page such as an online store order form with credit card information or an online banking account management page, to steal cookies, data, or even to perform actions on behalf of the user. Mozilla stated that it is aggressively working to provide a more comprehensive solution to these potential security holes and will provide that solution in a forthcoming security update. According to Secunia this exploit code is now publicly available and could be used by potential hackers to exploit this security hole further. A temporary solution has been added to the site https://do-not-add.mozilla.org. In its advisory, Mozilla.org recommends that users of Mozilla Firefox 1.0.3 and Mozilla Suite should disable javascript, while users of Mozilla Firefox 1.0.3 should remove all ‘Allowed sites’ under the ‘Allow web sites to install software’ option to stay secure.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code