Secunia

mikx has discovered three vulnerabilities in Mozilla and Firefox, which can be exploited by malicious people to plant malware on a user's system, conduct cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions and compromise a user's system.

1) Mozilla and Firefox validate an image against the "Content-Type" HTTP header, but uses the file extension from the URL when saving an image after a drag and drop event. This can e.g. be exploited to plant a valid image with an arbitrary file extension and embedded script code (e.g. .bat file) on the desktop by tricking a user into performing a certain drag and drop event.

2) Missing URI handler validation when dragging a "javascript:" URL to another tab can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging a malicious link to another tab.

3) An error in the restriction of URI handlers loaded via plugins can be exploited to link to certain restricted URIs (e.g. about:config).

This can further be exploited to trick a user into changing some sensitive configuration settings.

Exploit code has been published by mikx combining vulnerability 2 and 3, where a malicious website can execute arbitrary code when a user drags the scrollbar twice.

It is also possible to read arbitrary local files via a malicious Windows SMB share hosting specially crafted javascript code.

The vulnerabilities have been confirmed in Mozilla 1.7.5 and Firefox 1.0. Other versions may also be affected.

Solution
Mozilla:
Further details available in Customer Area

Provided and/or discovered by
Originally discovered by:
mikx

Further information provided by:
Jelmer Kuperus

Changelog
Further details available in Customer Area

Original Advisory
1) http://www.mikx.de/index.php?p=8
2) http://www.mikx.de/index.php?p=9
3) http://www.mikx.de/index.php?p=10

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area