Paid Advertising
web application security lab

Latest Firefox Fixes a Number of Security Holes

If you look at the latest security advisory by Mozilla you can see a number of big changes have been made to reduce the prospect of cross site scripting attacks. I talked with Daniel Veditz at Mozilla and he warned me that some changes were coming with the next version and he wasn’t lying. Where shall we start:

First of all the non-alpha-non-digit attack vector will now be closed. This is the same one that has been causing MySpace so much pain over the last few months. This is a good fix, as there really was no practical use for it anyway. Bravo!

Secondly was a fix for inheritance of charset by pages that don’t set their own. The child webpages accept the charset of the parent. More info posted by Stefan Esser, here. This can make the attacker control the charset to something that would normally not work like the UTF-7 vector. Again, bravo!

Third, Firefox password manager has finally been updated to look not only at the source of the website that it auto-populates password but also the destination. This is in response to an old post on automatic password theft that spawned WhiteAcid’s scripts and then a post on Slashdot. So yah, this is good, but unfortunately it doesn’t actually stop the attacker from reading the text in JavaScript. While good, I’m still staying away from password managers (not to mention all the other broken password managers that are still out there).

Last, but not least, the Adobe Universal XSS vuln has been fixed! Hurray! It was already fixed by Adobe, but not that many people update Adobe reader anyway, so this is a stop gap for those users.

So wow, that’s a powerful set of fixes! Each and every one of those could be very nasty, so I’m glad the changes were made. Now, back to work!

8 Responses to “Latest Firefox Fixes a Number of Security Holes”

  1. Stefan Esser Says:

    Here is the official advisory.

  2. RSnake Says:

    Thanks, Stefan, I was looking around for it, but I couldn’t find it. Thanks!

  3. Alex Says:

    Nice to see, that this little script is no longer crashing Firefox. Now, it only hangs … with nearly 100 % of cpu load …


  4. Alex Says:

    Ok, my code has been filtered out. Once again:

    [ body onfocus=”alert(’Die !’);” ]
    [ /body ]

  5. Luny Says:

    *goes to update his disable confirm postsend data loader*

  6. kuza55 Says:

    Well, I’m really glad that Firefox are responding to these issue, and removing their insecure proprietary designs, but the password theft (RCSR) fix doesn’t really fix the issue because of the requirements needed to conduct the attack in the first place:

  7. yawnmoth Says:

    It’s ironic that in closing the second non-alpha-non-digit attack vector, they introduced the third one. Try it out.

    Works in FireFox Didn’t work in FireFox

  8. RSnake Says:

    Nice catch! Yup, you’re right. I modified the cheat sheet to reflect that.