They can be exploited by remote users to carry out diverse actions on systems, such as uploading malicious software
The first case should be "exploited by remote users to push the user to put malicious software on his computer while thinking it is not executable content".
All three bug are fixed in the Firefox nightlies that you can download from here (just wait until tomorrow to be insured to get the fix for the third one that was only very recently checked in):
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-aviary1.0.1/
Those nightlies only include safe and important bug and security fixes that are intended to be included in a future 1.0.1 version of Firefox.
They are a lot less likely to have a problem that bleeding edge nightlies, but they are not reviewed, and there's alway a possibility that a bug fix that should have been perfectly safe has unexpected side effects.
The first of the problems lies in the fact that when the browser copies an image -via drag and drop-, on validating it against the HTTP "Content-Type" header, it uses a file extension from the URL. This could be exploited to situate a valid image, with an arbitrary file extension, and include script code on the desktop, tricking the user to drag and drop.
Bad description.
The problem is that drag and drop of valid images to the desktop is allowed, but that the original extension is keeped, even if it's not a dangerous extension.
If you can arrange so that the image both is displayable and has an executable content, there's the catch.
The second problem consists of the non-validation of headers, when a "javascript:" URL is dragged to another tab. This vulnerability could be used to execute HTML code and arbitrary script in the user's browser session in the context of any other site.
Wait a minute !
Doesn't the fix for this in https://bugzilla.mozilla.org/show_bug.cgi?id=280056
forbid to drop bookmarkslets to the personnal bar ?
It looks so, and it's a pain in the ass. _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
