|
Affected Systems:
Windows, Mac OS X, and Linux systems running Mozilla Firefox version 3.0-3.0.7.
Please note:
Exploit code has been released that exploits this vulnerability. Per VirusTotal analysis of exploit code posted on milw0rm.com, no AV products currently detect visits to a maliciously crafted page containing this exploit.
Description:
Attackers will exploit this vulnerability by enticing users to visit maliciously crafted websites. A successful exploit could result in arbitrary code being run on a victim system. An unsuccessful exploit will cause a Denial of Service condition (browser crash).
Solution:
Update to Mozilla Firefox 3.0.8 when it is released sometime early the week of March 30, 2009. It is highly unlikely that users can tell malicious websites from benign from simple observation. Please advise users to be cautious when clicking links in e-mails as well as when viewing search results.
UPDATE: IT Security Office staff have found a workaround for this vulnerability.
This will break every iframe on every page you visit, but it will also keep this exploit from working. Make sure you keep these instructions so you can back out of this workaround when Firefox 3.0.8 is released. This workaround has been tested on systems running Windows XP SP3 and Mac OS X 10.5.6 under Firefox 3.0.7.
- Install NoScript, restart Firefox
- Right-click on the NoScript icon and select Options
- Go to the Plug-ins tab and make sure "Forbid < IFRAME >" and "Apply these instructions to trusted sites too" are checked
- In the location bar, type about:config
- Filter for iframe
- Find the preference labeled noscript.forbidIFramesContext value to 0 (zero) This blocks EVERY iframe from being loaded, even if it is coming from the same site as its parent.
References:
http://www.securityfocus.com/bid/34235/
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130559
|
