Is this the month of Firefox bugs?
The polish hacker's ongoing audit of the open-source browser's design has turned up another potentially serious vulnerability that could allow the theft of user credentials from commonly used startup pages.
Zalewski said the flaw exists in the way Mozilla's flagship browser handles bookmarks. In certain scenarios, an attacker can exploit the bug to steal authentication cookies. Since Google is the default startup page on Firefox, this could lead to the exposure of GMail or Google Adsense authentication cookies.
"The problem: it is relatively easy to trick a casual user into bookmarking a window that does not point to any physical location, but rather, is an inline data: URL scheme. When such a link is later retrieved, Javascript code placed therein will execute in the context of a currently visited webpage. The destination page can then continue to load without the user noticing," Zalewski said in a note posted to the Full Disclosure mailing list.
Although the severity risk is low, Zalewski warned that social engineering tactics can be used to silently launch attacks against Google, MSN, AOL or credentials. "In an unlikely case, the victim is browsing local files or special URLs before following a poisoned bookmark, system compromise is possible," he added.
A step-by-step demo highlights the issue. Mozilla's security response team is working on a fix.
The latest warning comes at a very sensitive time for Mozilla. The company has already delayed the release of Firefox 2.0.0.2 to fix the location.hostname vulnerability exposed by Zalewski last Thursday. (See demo, which requires JavaScript).
Mozilla security chief Window Snyder confirmed the next scheduled browser refresh will include a fix for that flaw, which could be exploited to make the browser appear as if were connecting to a bank, when in fact it would instead be receiving data from an online criminal. "We have not heard of any reported exploits. However, we're working to address the issue as quickly as possible to minimize the window of risk," Snyder said.
Firefox 2.0.0.2 is expected to ship on Thursday, February 22.