Mozilla Foundation Security Advisory 2005-48

Title: Same-origin violation with InstallTrigger callback
Severity: Low (High for Suite)
Reporter: Matthew Mastracci
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.5
  Mozilla Suite 1.7.9

Description

The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site.

In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector.

In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability.

The browser has been fixed to clear any pending callback function when switching to a new site.

Workaround

Firefox: Remove untrustworthy sites from the list of those allowed to install, or turn off software installation entirely.
  1. Open the Options dialog from the Tools menu
  2. Select the Web Features icon in the left panel
  3. Uncheck the "Allow web sites to install software" box, or click the "allowed sites" button on that line to remove untrusted sites.

Mozilla Suite: Turn off the software installation feature.

  1. Open the Preferences dialog from the Edit menu
  2. Select "Software Installation" in the "Advanced" group in the left panel.
  3. Uncheck the "Enable software installation" checkbox.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=293331