In association with heise online

01 February 2008, 13:55

Mozilla developers upgrade status of vulnerability risk

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Mozilla Foundation has reclassified a recently published hole in Firefox, as a high risk vulnerability. The flaw gives attackers access to local data on a computer running the browser using add-ons. Add-ons installed as "flat packages" instead of .jar archives allow attackers can use specially crafted chrome:// addresses in certain HTML tags to exploit the hole.

The foundation's head of security, Window Snyder, has released a status update in its security blog. It contains a comprehensive if not exhaustive list of add-ons which are not installed as .jar packages and therefore make systems vulnerable. Snyder also calls on add-on developers to package their software in .jar archives and publish updated versions.

Gerry Eisenhaur has updated his blog entry at, in which he originally published the hole, to include another demonstration of the vulnerability which reads out the content of the sessionstore.js file. This is said to reveal information relating to the current browser session including cookies and open tabs. In his blog entry, Eisenhaur also points out that the popular NoScript browser extension provides protection from these attacks.

The Mozilla developers have already fixed the flaw in the development branches and are testing the code in the nightly builds of Firefox Release Candidate According to the media, the final browser version is to become available on February 5.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit