WatchGuard Wire
Improve Your Security IQ
New cross-browser scripting attack: Firefox generates IE danger
This morning, Thor Larholm and researchers at xs-sniper alerted
the community to a problem with the URI handler in Internet Explorer, and how
it can be abused to launch a cross-browser scripting attack with Firefox 2.0.
It turns out that if you have both IE and Firefox 2.0 installed, an attacker
can create a URL which, when clicked on within IE, tells Firefox to execute
JavaScript programs of the attacker's choice on your computer. This is bad
because the JavaScript runs with the security privileges associated with Firefox
itself -- in most cases, that means your privileges.
The core of the problem is essentially two fold. IE doesn't do any input
validation when it launches Firefox's JavaScript handler. And when Firefox
is launched in this fashion it doesn't do the appropriate sanity checks
to make sure that there's nothing fishy going on.
Don't
panic. A comment on Thor's
blog suggests that if you have Firefox 2.0 installed and are using the
coolest Firefox add-in ever, NoScript,
you have nothing to fear. Since the comment was posted by the author
of NoScript, he should know what he's talking about. If you use Firefox
but aren't using NoScript, download it today.
-- Steve
Fallin
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
