You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.5) > MFSA 2005-48

Mozilla Foundation Security Advisory 2005-48

Title: Same-origin violation with InstallTrigger callback
Severity: Low (High for Mozilla Suite)
Reporter: Matthew Mastracci
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.5
  Mozilla Suite 1.7.10

Description

The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site.

In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector.

In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability.

The browser has been fixed to clear any pending callback function when switching to a new site.

Workaround

Firefox: Remove untrustworthy sites from the list of those allowed to install, or turn off software installation entirely.

  1. Open the Options dialog from the Tools menu
  2. Select the Web Features icon in the left panel
  3. Uncheck the "Allow web sites to install software" box, or click the "allowed sites" button on that line to remove untrusted sites.

Mozilla Suite: Turn off the software installation feature.

  1. Open the Preferences dialog from the Edit menu
  2. Select "Software Installation" in the "Advanced" group in the left panel.
  3. Uncheck the "Enable software installation" checkbox.

References