Mozilla developers upgrade status of vulnerability risk
The Mozilla Foundation has reclassified a recently published hole in Firefox, as a high risk vulnerability. The flaw gives attackers access to local data on a computer running the browser using add-ons. Add-ons installed as "flat packages" instead of
.jar archives allow attackers can use specially crafted
chrome:// addresses in certain HTML tags to exploit the hole.
The foundation's head of security, Window Snyder, has released a status update in its security blog. It contains a comprehensive if not exhaustive list of add-ons which are not installed as
.jar packages and therefore make systems vulnerable. Snyder also calls on add-on developers to package their software in
.jar archives and publish updated versions.
Gerry Eisenhaur has updated his blog entry at hiredhacker.com, in which he originally published the hole, to include another demonstration of the vulnerability which reads out the content of the
sessionstore.js file. This is said to reveal information relating to the current browser session including cookies and open tabs. In his blog entry, Eisenhaur also points out that the popular NoScript browser extension provides protection from these attacks.
The Mozilla developers have already fixed the flaw in the development branches and are testing the code in the nightly builds of Firefox Release Candidate 18.104.22.168. According to the media, the final browser version is to become available on February 5.
- Status update for Chrome Protocol Directory Traversal issue, Window Snyder's entry in the Mozilla Foundation's security blog
- List of numerous add-ons provided as "flat packages"
- Firefox leaks information, heise Security news