Critical Vulnerabilities Found in Firefox

Two new security vulnerabilities have been uncovered in Mozilla's latest Firefox Web browser, which could be exploited to launch cross-site scripting attacks and potentially compromise a user's system. Security firm Secunia has given the flaws its highest "extremely critical" rating and says an exploit is already in the wild.

The first vulnerability stems from a bug that enables IFRAME JavaScript URLs to be executed in the context of another URL in Firefox's history list. "This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site," Secunia says.

On its own, the issue is not extremely dangerous for an end user. However, increased concern comes when the flaw is used in conjunction with a second Firefox bug. Code passed to an install function, used by Mozilla sites to update Firefox, is not properly verified before being run.

An attacker could use the first vulnerability to run arbitrary code using the second vulnerability, potentially gaining control of a user's system.

Secunia says the issue was confirmed in the latest Firefox release, version 1.0.3, and that other versions may be affected as well. The firm recommends disabling JavaScript for the time being, as well as turning off software installation via the Web.

To protect its users, Mozilla has implemented a temporary solution on its update sites that will stop publicly available exploit code from using a combination of the vulnerabilities to execute malicious code.