Mozilla Foundation Security Advisory 2008-08
Title: File action dialog tampering
Impact: Moderate
Announced: February 7, 2008
Reporter: Michal Zalewski
Products: Firefox, Thunderbird
Fixed in: Firefox 2.0.0.12
Thunderbird 2.0.0.12
Description
Security researcher Michal Zalewski demonstrated that timer-enabled security dialogs can be subverted by attackers using JavaScript to change the window focus. Zalewski showed that a user could be tricked into confirming a security dialog of this type by bringing the dialog back into focus right before a user clicked in a predictable time and place.
Workaround
Disable JavaScript until a version containing these fixes can be installed.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=376473
* CVE-2008-0591