Secunia Security Advisory - Jesse Ruderman has reported a security issue in Mozilla and Mozilla Firefox, allowing malicious websites to trick users into accepting security dialog boxes. The problem is that it may be possible to trick users into typing or clicking on a XPInstall / Security dialog box, using various interactive events, without the user noticing the dialog box. Successful exploitation may allow a malicious website to perform tasks that require user interaction. This has been fixed in Mozilla 1.7 and Mozilla Firefox 0.9.
42c7d52242f0235c35b654bc714b1af202e5f5e787c6ef3760d9957cd454beb5
TITLE:
Mozilla XPInstall Dialog Box Security Issue
SECUNIA ADVISORY ID:
SA11999
VERIFY ADVISORY:
http://secunia.com/advisories/11999/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Mozilla 0.x
http://secunia.com/product/772/
Mozilla 1.0
http://secunia.com/product/97/
Mozilla 1.1
http://secunia.com/product/98/
Mozilla 1.2
http://secunia.com/product/3100/
Mozilla 1.3
http://secunia.com/product/1480/
Mozilla 1.4
http://secunia.com/product/1481/
Mozilla 1.5
http://secunia.com/product/2478/
Mozilla 1.6
http://secunia.com/product/3101/
Mozilla Firefox 0.x
http://secunia.com/product/3256/
DESCRIPTION:
Jesse Ruderman has reported a security issue in Mozilla and Mozilla
Firefox, allowing malicious websites to trick users into accepting
security dialog boxes.
The problem is that it may be possible to trick users into typing or
clicking on a XPInstall / Security dialog box, using various
interactive events, without the user noticing the dialog box.
Successful exploitation may allow a malicious website to perform
tasks that require user interaction.
SOLUTION:
This has been fixed in Mozilla 1.7 and Mozilla Firefox 0.9.
PROVIDED AND/OR DISCOVERED BY:
Jesse Ruderman
ORIGINAL ADVISORY:
http://bugzilla.mozilla.org/show_bug.cgi?id=162020
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------