rrfield
New Member
Got an IPS update today, noticed two filters for Firefox exploits...
This filter fires when a remote web application attempts to modify the security configuration of a Mozilla browser via the netscape.security.PrivilegeManager.enablePrivilege() class. If successful, the web application can procede to manipulate both the browser and the local file system with the privileges of the logged-on user, including the ability to silently create, delete, and excute files on the local computer. By design, web applications are not permitted to access this class unless they are signed by the developer and the certificate is issued from a trusted authority. However, versions of Firefox prior to 1.0.1 and Mozilla prior to 1.7.6 do not sufficently enforce these restrictions under certain conditions.
References:
Secunia Advisory http://secunia.com/advisories/14160/
Mozilla Bug #280664 https://bugzilla.mozilla.org/show_bug.cgi?id=280664
Javascript Signing for Mozilla Applications http://www.mozilla.org/projects/security/components/jssec.html
Source
Address: 0.0.0.0/0
Ports: 3128, 80, 8000, 8080
Destination
Address: 0.0.0.0/0
Ports: ANY
This filter fires when a remote web application attempts to open a javascript: link in the Sidebar (on Mozilla/Firefox) or Search (on Internet Explorer) panel. If the tageted panel is displaying privileged or trusted content, the javascript code supplied by a malicious site's link may execute in an elevated context, up to the privileges of the local user. By design, javascript: links are not permitted to access this area of the browser, however, versions of Firefox prior to 1.0.3fc2 do not sufficiently enforce these restrictions.
References:
Mozilla Foundation Security Announcement http://www.mozilla.org/security/announce/mfsa2005-39.html
Open Source Vulnerability Database http://www.osvdb.org/15688
Source
Address: 0.0.0.0/0
Ports: 3128, 80, 8000, 8080
Destination
Address: 0.0.0.0/0
Ports: ANY
This filter fires when a remote web application attempts to modify the security configuration of a Mozilla browser via the netscape.security.PrivilegeManager.enablePrivilege() class. If successful, the web application can procede to manipulate both the browser and the local file system with the privileges of the logged-on user, including the ability to silently create, delete, and excute files on the local computer. By design, web applications are not permitted to access this class unless they are signed by the developer and the certificate is issued from a trusted authority. However, versions of Firefox prior to 1.0.1 and Mozilla prior to 1.7.6 do not sufficently enforce these restrictions under certain conditions.
References:
Secunia Advisory http://secunia.com/advisories/14160/
Mozilla Bug #280664 https://bugzilla.mozilla.org/show_bug.cgi?id=280664
Javascript Signing for Mozilla Applications http://www.mozilla.org/projects/security/components/jssec.html
Source
Address: 0.0.0.0/0
Ports: 3128, 80, 8000, 8080
Destination
Address: 0.0.0.0/0
Ports: ANY
This filter fires when a remote web application attempts to open a javascript: link in the Sidebar (on Mozilla/Firefox) or Search (on Internet Explorer) panel. If the tageted panel is displaying privileged or trusted content, the javascript code supplied by a malicious site's link may execute in an elevated context, up to the privileges of the local user. By design, javascript: links are not permitted to access this area of the browser, however, versions of Firefox prior to 1.0.3fc2 do not sufficiently enforce these restrictions.
References:
Mozilla Foundation Security Announcement http://www.mozilla.org/security/announce/mfsa2005-39.html
Open Source Vulnerability Database http://www.osvdb.org/15688
Source
Address: 0.0.0.0/0
Ports: 3128, 80, 8000, 8080
Destination
Address: 0.0.0.0/0
Ports: ANY
