Print
ZDnet's Security Blog reports that Firefox extensions that are not stored in JAR archive files (.JAR) leave users vulnerable to a vulnerability called a chrome URL handling directory transversal attack by hostile JavaScript files (Chrome URIs use extensions stored in the user's Chrome folder).
How big a deal is this? According to Gerry Eisenhaur of hiredhacker.com, who discovered the vulnerability earlier this month, merely opening a website that contains JavaScript aimed at this vulnerability could make Firefox display your preferences file (all.js) or find out what you've been doing by displaying the sessionstore.js file, just to name two examples (see his posting for demos).
Mozilla is ranking this vulnerability as 'High Severity' because it can be exploited if you have any of over 600 add-ons installed, ranging from A (allcookies) to Z (Zipedia).
According to Mozilla Security Chief Window Snyder, don't blame Firefox; blame the developers that don't use .jar packaging for the add-ons. If you're a web developer (or play one on TV), you might want to review the debate at Bugzilla over this bug (number 413250). If you develop Firefox extensions, switching to JAR packaging might be a really good idea.
However, just as Microsoft initially blamed others for an Internet Explorer 7 URI vulnerability we discussed last fall, then decided to fix the problem at the operating system level, Mozilla will block this vulnerability with Firefox 2.0.0.12 (current version is 2.0.0.11). Watch for an update, or if you're impatient, visit the Firefox download page frequently.
So-called 'Proof of Concept' bugs discovered by the good guys have a nasty habit of being used for actual attacks, so you shouldn't wait for a Firefox update. Here's what you can do today:
Comments are closed on this article
Links:
[1] http://www.maximumpc.com/user/marcus_soperus
[2] http://blogs.zdnet.com/security/?p=841
[3] http://www.hiredhacker.com/
[4] http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/
[5] https://bugzilla.mozilla.org/attachment.cgi?id=300181
[6] http://blog.mozilla.com/security/2008/01/29/status-update-for-chrome-protocol-directory-traversal-issue
[7] https://bugzilla.mozilla.org/show_bug.cgi?id=413250
[8] http://www.maximumpc.com/article/didnt_ask_for_that_pdf_file_watch_out
[9] http://www.maximumpc.com/article/microsoft_stops_uri_threats_to_windows_xp_protect_yourself_today
[10] http://www.mozilla.com/en-US/firefox/
[11] http://noscript.net/
[12] http://www.maximumpc.com/article/mailto_and_other_uri_threats_may_target_everyone
[13] http://www.maximumpc.com/article/got_adobe_acrobat_or_reader_8_1_the_fix_is_in
[14] http://www.maximumpc.com/article/googles_in_the_xss_crosshairs_and_so_are_you
[15] http://www.maximumpc.com/tags/firefox
[16] http://www.maximumpc.com/tags/internet_explorer
[17] http://www.maximumpc.com/tags/javascript
[18] http://www.maximumpc.com/tags/malware
[19] http://www.maximumpc.com/tags/mozilla
[20] http://www.maximumpc.com/tags/news
[21] http://www.maximumpc.com/tags/script
[22] http://www.maximumpc.com/tags/security
[23] http://www.maximumpc.com/tags/software
[24] http://www.maximumpc.com/tags/software_news
[25] http://www.maximumpc.com/tags/threats
[26] http://www.maximumpc.com/tags/uri
[27] http://www.maximumpc.com/articles/news/windows
[28] http://www.maximumpc.com/tags/xss
[29] http://www.maximumpc.com/articles/news