Mozilla Foundation Security Advisory 2005-53

Standalone applications can run arbitrary code through the browser

Announced
July 12, 2005
Reporter
Michael Krax
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 1.0.5

Description

Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a javascript: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent javascript: url could execute arbitrary code.

External javascript: urls will now run in a blank context regardless of what content it's replacing, and external apps will no longer be able to load privileged chrome: urls in a browser window. The -chrome command line option to load chrome applications is still supported.

Workaround

Set the browser to open external links in a new tab or new window.

  1. Open the Options dialog from the Tools menu
  2. Select the Advanced icon in the left panel
  3. Open the "Tabbed Browsing" group
  4. Set "Open links from other applications in:" to either new tab or new window

References

Bug details embargoed until August 1, 2005