Mozilla has released version 1.04 of Firefox to address a security security issue and exploit discovered this week. I have installed the new release for Windows 98, 2000, and XP SP2 with no issues so far. While there are no in-the-wild threats or viruses associated with the new exploit, current Firefox users should upgrade to further protect their systems.
Firefox 1.04 - Security Changes and other release notes
Security Update to Firefox Now Available
Firefox 1.04 Free Download (English version 1.04)
Original Advisories on Security Issues
Mozilla Foundation Security Advisory 2005-42
Secunia - Mozilla Firefox Two Critical Vulnerabilities
The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday. The two vulnerabilities, when combined, can be exploited, but no known cases have yet emerged where an attacker took advantage of the public exploit code.
One flaw involves "IFRAME" JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list. "If you visit a malicious Web site, it can steal cookie information from other Web sites you had previously visited," said Thomas Kristensen, Secunia's chief technology officer. The attacker could then use that information to engage in identity theft or gain access to other password-protected sites that the victim visited.
Mozilla issued the following workaround to prevent installing software automatically from web sites. This adds protection for future issues and it enhances security even after upgrading to version 1.04 (and can be toggled on or off as needed).
1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
4. Click the "Remove All Sites" button
5. Click "OK"