In Brief

Eight Firefox Vulnerabilities; Microsoft Previews Longhorn Security; Windows XP SP2 Rollout Lags

Eight Firefox Vulnerabilities

Mozilla’s Firefox browser and Mozilla software have eight vulnerabilities that could allow attackers to bypass a PC’s security, launch cross-site scripting attacks, and access a user’s system. Security information provider Secunia rates the vulnerabilities as “highly critical.”

One vulnerability triggers an input-validation error for a routine that assesses available plug-ins. According to Secunia, a tag “for non-installed plug-ins can be exploited to inject arbitrary JavaScript code.” An attacker can use the flaw to install code on a user’s PC, provided the user clicks a “manual install” button.

Another flaw allows blocked pop-up advertisements to run with higher-than-normal privileges. An attacker could craft a special URL to run arbitrary code, provided the user opened one of these pop-up windows.

A third vulnerability doesn’t scrub some existing tabs and windows; this could allow a malicious script introduced into these windows and tabs to execute in a new window.

Another flaw stems from Firefox not verifying the URL for favorite icons. An attacker could use the favorite icons’ URL to introduce JavaScript and execute an attack on the user’s computer.

Additional problems relate to verifying the URL of search plug-ins, and the manner in which Firefox opens URLs in the search sidebar.

Upgrading to Firefox version 1.0.3 or Mozilla 1.7.7 fixes the vulnerabilities. Antivirus provider F-Secure recommends users upgrade immediately. Otherwise, it notes, “you might get nasty stuff happen on your computer just by surfing to the wrong site.”

Microsoft Discusses Longhorn Security

At the recent Microsoft Management Summit conference in Las Vegas, Microsoft CEO Steve Ballmer briefly discussed some security features of Microsoft’s forthcoming Longhorn operating system (OS), due for release by the end of 2006.

Overall, Ballmer says Microsoft is aiming for lower total cost of ownership for the OS, and he cites reduced security costs as a major requirement for that to happen. “I know security has been a major cost driver for folks from an operations perspective over the last several years,” he notes.

Beyond lowering security costs, Ballmer says Longhorn will support Microsoft’s Network Access Protection (NAP), an initiative for improving endpoint security. According to Ballmer, NAP will also work with the Trusted Computing Group’s endpoint security standard, even though, as he notes, “we are not actually members of [the] Trusted Computing Group (TCG).” Even so, he acknowledges that “you’ll need to have consistency in how you quarantine systems inside your network.”

In addition, Microsoft plans improved identity management features relating to Active Directory. “When people first put in Active Directory, it was mostly about implementing Exchange,” says Ballmer. Without giving specifics, he says Microsoft is developing new security applications to explicitly take better advantage of Active Directory.

Windows XP SP2 Rollout Lags

Windows XP SP2 sports a number of security and stability improvements. Yet since its release last year, organizations haven’t rushed to adopt it.

“A substantial number of companies have yet to decide whether to accept or embargo Windows XP SP2,” asserts Steve O’Halloran, managing director of AssetMetrix Research Labs, which surveyed 251 North American corporations with a total of over 136,000 PCs. “To date, we have observed that 40 percent of companies using Windows XP have actively avoided upgrading to SP2, and only 7 percent have actively accepted it.”

Half of surveyed companies haven’t articulated an official SP2 policy. Overall, only about 24 percent of corporate PCs with Windows XP SP1 installed had been upgraded.

Microsoft says it won’t cease support for SP1 until September 2006, but AssetMetrix recommends companies upgrade to SP2 well before then. The firm says “companies choosing not to deploy SP2 will be faced with a host of potential issues, including possible incompatibilities with future products such as Internet Explorer 7, or a potential support gap when Microsoft support for Windows XP Service Pack 1 is withdrawn.”

Related Articles:

New Firefox Flaws Surface
http://www.esj.com/Security/article.aspx?EditorialsID=1332

Ten Microsoft Problems
http://www.esj.com/Security/article.aspx?EditorialsID=1358

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.