Two vulnerabilities have been discovered in Firefox. An attacker can exploit such vulnerabilities to conduct cross-site scripting attacks and execute arbitrary code on a compromised computer.
The first vulnerability is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. Such vulnerability can allow an attacker to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
The second vulnerability is that Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. Such vulnerability can allow an attacker to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
BroadWeb Security Service Team (BSST) has released the countermeasure signatures in signature version 2.89, which includes:
# 1051916_EXPLOIT Mozilla Firefox 1.0.3 Remote Arbitrary Code Execution
NetKeeper users are urged to upgrade their signature patterns to version 2.89 or later in order to thwart these attacks.
(BSST, Broadweb Security Service Team)
|
