The Channel logo


By | John Leyden 9th May 2005 11:38

Firefox exploit targets zero day vulns

Warning as malicious script goes feral

Security researchers have discovered two unpatched vulnerabilities in Firefox, the popular alternative web browser. The security bugs affect even the latest version of Firefox (version 1.0.3) and create a means for attackers to seize control of vulnerable systems using cross-site scripting attacks.

One vulnerability enables arbitrary JavaScript code with escalated privileges to be executed via a specially crafted JavaScript URL. Successful exploitation requires that a site is allowed to install software (default sites are "" and ""). This would normally drastically reduce the scope for mischief - but for a second security bug, involving "IFRAME" JavaScript URLs, which creates a means to execute arbitrary HTML and script code in the context of an arbitrary site.

A combination of the two vulnerabilities can be exploited to execute arbitrary code on vulnerable systems, according to Danish security firm Secunia. Exploit code is publicly available greatly increasing the chance of attack, it warns. The vulnerabilities - described by Secunia as "extremely critical" - have been confirmed in version 1.0.3 of Firefox. Other versions may also be affected.

Users are advised to disable JavaScript and the software installation option within Firefox pending a more comprehensive fix from the Mozilla Foundation. ®

Related stories

Unholy trio menace Firefox
Browser bugs sprout eternal
Drive-by Trojans exploit browser flaws
The unsavoury world of PC licences and Firefox exploits
Firefox dusted down with security upgrade
Firefox doubles market share as IE slips

alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe