TITLE: Mozilla XPInstall Dialog Box Security Issue SECUNIA ADVISORY ID: SA11999 VERIFY ADVISORY: http://secunia.com/advisories/11999/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Mozilla 0.x http://secunia.com/product/772/ Mozilla 1.0 http://secunia.com/product/97/ Mozilla 1.1 http://secunia.com/product/98/ Mozilla 1.2 http://secunia.com/product/3100/ Mozilla 1.3 http://secunia.com/product/1480/ Mozilla 1.4 http://secunia.com/product/1481/ Mozilla 1.5 http://secunia.com/product/2478/ Mozilla 1.6 http://secunia.com/product/3101/ Mozilla Firefox 0.x http://secunia.com/product/3256/ DESCRIPTION: Jesse Ruderman has reported a security issue in Mozilla and Mozilla Firefox, allowing malicious websites to trick users into accepting security dialog boxes. The problem is that it may be possible to trick users into typing or clicking on a XPInstall / Security dialog box, using various interactive events, without the user noticing the dialog box. Successful exploitation may allow a malicious website to perform tasks that require user interaction. SOLUTION: This has been fixed in Mozilla 1.7 and Mozilla Firefox 0.9. PROVIDED AND/OR DISCOVERED BY: Jesse Ruderman ORIGINAL ADVISORY: http://bugzilla.mozilla.org/show_bug.cgi?id=162020 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------