Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

New vulnerabilities are haunting Mozilla, Firefox, and
Netscape browsers, while different threats have surfaced in Outlook and
Internet Explorer. Meanwhile, IM and P2P threats surge.

Details

Secunia has reported, and Mozilla has confirmed, an
information disclosure vulnerability in the Firefox browser—including the
latest update (version 1.0.2), which is only a few weeks old (released March
21). In fact, troubles for the increasingly popular browser are coming so fast
and furious that mozillaZine
has reported that a new Firefox release candidate has already replaced the
Firefox release candidate 1.0.3, which became available on April 5.

Mozilla released the new release candidate (also designated
1.0.3) the very next day. Be forewarned that this release candidate 1.0.3, and
probably the eventual release version as well, will likely cause problems with
a number of extensions.

Below are links to Secunia’s reports about each threat:

The information disclosure vulnerability exposes random
memory areas to malicious Web sites, and users would never be aware of it. As
you would expect, it’s mostly ASCII garbage, but there are definitely real
information disclosures too, so this is a very real threat.

Secunia offers a Mozilla
Products Arbitrary Memory Exposure Test to help you determine if your
system is vulnerable to the new vulnerability. Using IE6, I went to the site
and found no problem, but Firefox was definitely exposing arbitrary chunks of
my memory. So if you’re using Firefox, Mozilla, or even Netscape, I highly
recommend running a quick test from Secunia’s Web site.

Another recent report, this one coming from SecuriTeam.com
(and credited to mikx), appears very similar, and it almost certainly refers to
the same vulnerability discussed in the Secunia reports. (Secunia doesn’t list
MITRE CAN designations, so I can’t be certain.) Below are links to the Common
Vulnerabilities and Exposures (CVE) reports.

Unfortunately, SecuriTeam.com has published links to proof-of-concept
code. Dubbed Firescrolling, Fireflashing, Firetabbing, and Firedragging,
all of these threats involve Java-based attacks.

But don’t think Mozilla’s security woes means Microsoft’s getting
off easy this week. eEye Digital
Security is reporting that its engineers have discovered a new
vulnerability in Outlook and Internet Explorer. eEye has sent the information
to Microsoft, and this security vendor doesn’t provide any details about
vulnerabilities until the vendor releases a patch.

So far, all we know from the disclosure is that the
vulnerability entails a remote code execution threat to multiple versions of
Internet Explorer. News.com offers a
little more information in its report, implying that would-be attackers
could exploit the IE vulnerability by getting users to surf across a banner ad.

In addition, eEye published an earlier
vulnerability that also affects IE as well as Outlook. The security vendor
notified Microsoft of the vulnerability on March 16, but the software giant has
not yet released a patch. Because eEye publishes no details about new threats
that could help script kiddies, it’s difficult to determine which of the two IE
threats is generating online reports elsewhere.

Applicability

Most—and possibly all—Mozilla-family browsers are vulnerable
to the Java-based information disclosure threat. Specifically, all Mozilla
browsers from 0.x through 1.7.x are vulnerable, as well as all Firefox versions,
including 1.0.2 (the most recent release). Netscape 6.x and 7.x are definitely
vulnerable, but Secunia reports that other versions may also be susceptible.

While unspecified, multiple versions of IE on various
platforms are vulnerable to one or both of the remote code execution threats
discovered by eEye.

Risk level – Critical

All three of these threats range from serious to critical.
At this time, vendors have yet to release any patches. However, I haven’t seen
any reports that attackers are attempting to actively exploit any of the three
threats either.

Mitigating factors

Since all three threats appear to apply to default
installations of the browsers, the only mitigating factor is that no one is
exploiting the vulnerabilities yet. Thanks to the availability of more details
about the Mozilla-family vulnerability, we know attackers can only exploit this
threat if users browse to a malicious Web site. However, thanks to the
publishing of proof-of-concept code for the Mozilla-family browsers, we can
expect to see exploits soon.

Of course, while you can switch to Firefox to avoid the latest
IE vulnerability, you’ll then have to deal with the new Firefox vulnerability instead—and
it appears to be nearly as dangerous.

Fix

All of the Mozilla, Firefox, and Navigator threats appear to
involve Java. So, until Mozilla releases a patch, disabling JavaScript will
block any attack attempts in the meantime. The April 6 version of Firefox release
candidate 1.0.3 (as opposed to the April 5 version) does address this
JavaScript vulnerability. However, it will reportedly wreak havoc with some
extensions, so it’s strictly a beta test version for now.

No workaround is available at this time for the IE and
Outlook threats.

Final word

Well, not to belabor the obvious, but as I’ve always said, a
big reason that hackers hit Microsoft so often is because it’s the biggest
target. Knowing this is one reason many people have turned to Firefox.

I like Firefox; I use Firefox every day. But I’ve never been
under the illusion that it’s completely secure or that it wouldn’t suddenly
begin to develop a lot of leaks when it became popular enough for people to
take some serious shots at it.

As Firefox and Mozilla become more popular, I expect to see
more vulnerabilities and patches—it’s just common sense. For the time being,
Firefox only has about 9 percent of the market, so we can still expect to see plenty
of problems emerging in Internet Explorer as well.

Until this week, I had simply switched browsers when a new
vulnerability appeared in one or the other. But now both browsers I regularly
use have serious vulnerabilities, so I’m stuck until a usable patch is
available.

Also watch for …

  • News.com
    has summarized
    a number of reports     about instant messaging and P2P networks, and none
    of them are good. The short version is that IM and P2P attacks have surged
    250 percent as better antispam filters have reduced spam on e-mail
    servers. Ranging from viruses and worms to phishing ventures, the attacks
    mostly affect Yahoo!, MSN Messenger, AOL, and Windows Messenger.
    Again, that’s most likely because these vendors have the most target-rich
    audiences. If other IM clients become more popular, attackers will begin
    targeting them. Only 11 percent of the attacks actually used a known vulnerability;
    presumably, the rest just relied on users opening anything anyone sent to
    them.
  • If you
    needed any proof that phishing is becoming a big danger, you need only
    note that Microsoft recently filed 117 lawsuits
    over the creation of fake Microsoft sites. Unlike viruses, which are a
    profit center for some software companies, it appears that the phishing
    threat is becoming so dangerous that the big boys are going to fight this
    battle for us.
  • News.com
    has also reported how phishing is
    rapidly migrating     from e-mail to instant messaging services. For some
    interesting numbers, check out Antiphishing.org
    or the organization’s February
    2005 PDF report    .
  • Users
    can patch Firefox 1.0 (and most likely later versions) to block more popup
    ads. But this poses a new problem: As Firefox and other popup-blocking
    browsers gain market share, advertisers are turning to a new kind of popup
    that uses plug-ins. Because many sites use legitimate popup windows for
    various features, browsers typically don’t block them.
  • Because
    of the antiprivacy, procorporate culture in Japan, it may be hard to
    believe that the country just passed
    a draconian privacy theft law    , which will hold designated corporate
    privacy officers and staff criminally liable for security breaches
    resulting in the disclosure of personal records. The new law took effect
    April 1 but doesn’t appear to be either a joke or wishful thinking. The
    law applies to companies holding more than 5,000 such records, and those
    found responsible for failing to follow the strict new rules can receive a
    fine and up to six months in jail. Wow—do we ever need that here! Everyone
    send a copy of this to your congressperson!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.