Firefox flaw could expose sensitive data


Attackers could use a malicious Web page to access sensitive Web site data via a new security hole in Mozilla Firefox, Cupertino, Calif.-based AV giant Symantec Corp. said Monday. In an e-mail to customers of its DeepSight Threat Management System, Symantec warned that Firefox is vulnerable to a flaw that could allow a Web page to "execute malicious script code in the context of an arbitrary domain." This could lead to a variety of attacks, "including theft of cookie-based authentication credentials," Symantec said.

"The issue affects the '-moz-binding' property that is used to attach extensible binding language (XBL) to elements through cascading style sheets (CSS)," Symantec said. "Due to an origin validation error, arbitrary script code included with XBL may be executed in the context of another domain. The cause of this issue is that the browser's same origin policy is not enforced on this property." Security Bytes: Firefox flaw could expose sensitive data

Linked by shanmuga Wednesday, 1st February 2006 12:29AM