TITLE:
Mozilla XPInstall Dialog Box Security Issue

SECUNIA ADVISORY ID:
SA11999

VERIFY ADVISORY:
http://secunia.com/advisories/11999/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
>From remote

SOFTWARE:
Mozilla 0.x
http://secunia.com/product/772/
Mozilla 1.0
http://secunia.com/product/97/
Mozilla 1.1
http://secunia.com/product/98/
Mozilla 1.2
http://secunia.com/product/3100/
Mozilla 1.3
http://secunia.com/product/1480/
Mozilla 1.4
http://secunia.com/product/1481/
Mozilla 1.5
http://secunia.com/product/2478/
Mozilla 1.6
http://secunia.com/product/3101/
Mozilla Firefox 0.x
http://secunia.com/product/3256/

DESCRIPTION:
Jesse Ruderman has reported a security issue in Mozilla and Mozilla
Firefox, allowing malicious websites to trick users into accepting
security dialog boxes.

The problem is that it may be possible to trick users into typing or
clicking on a XPInstall / Security dialog box, using various
interactive events, without the user noticing the dialog box.

Successful exploitation may allow a malicious website to perform
tasks that require user interaction.

SOLUTION:
This has been fixed in Mozilla 1.7 and Mozilla Firefox 0.9.

PROVIDED AND/OR DISCOVERED BY:
Jesse Ruderman

ORIGINAL ADVISORY:
http://bugzilla.mozilla.org/show_bug.cgi?id=162020

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------