critical firefox hole

[4play]

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summery of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

http://www.frsirt.com/exploits/20050507.firefox0day.php

[peat moss]

They did patch it tho ? What does's partially patch mean ? I'm sure it will be fixed in few hours or so tho. Thats the neat thing about open source , hundreds of people are probably looking at this problem, and thinking of way's to solve it .

[Skiz]

That's impossible. According to every FF user I've come across, FF is impervious to fault.

[davec8]

That's impossible. According to every FF user I've come across, FF is impervious to fault.

I don't claim it to be impervious, but when holes like this come up they're usually patched within a few days at the most as opposed to a month or 2 like most of the other browsers. That's a definite plus.

[4play]

this was reported to bugzilla some time ago but bugzilla will not let me access that report since you have to have certain permissions to actually view critical vulns.

a tempory fix is about and it seems a 1.04 is in the works i believe.

[DarthInsinuate]

secunia now have their report written up http://secunia.com/advisories/15292/

Solution:
1) Disable JavaScript.

2) Disable software installation: Options --> Web Features --> "Allow web sites to install software"

NOTE: A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of vulnerability 1 and 2 to execute arbitrary code in the default settings of Firefox.