In addition to the "pwn2own" vulnerability used at CanSecWest last week in order to compromise a system with the Firefox web browser, a new vunerability has been published which involves XSL Transforms. This vulnerability impacts both the latest Firefox 3.0.7 and Seamonkey 1.1.15 browsers.
Mozilla is working on updates for both packages and they expect the updated versions to be released by April 1 (and no, this is not an early April Fools joke).
A proof-of-concept exploit for the XSL Transform vulnerability has been released. If the attack succeeds, arbitrary code can be run in the context of the browser. If the attack fails, a DoS condition is likely for the browser.
For more information about the XSL Transform issue, see:
Mar 27th 2009
1 decade ago