24 January 2008
Mozilla's chief of security has admitted a vulnerability that could cause fully patched versions of Firefox to expose a user's private data.
The confirmation, which was by Mozilla's Window Snyder, follows the release of proof-of-concept code by researcher Gerry Eisenhaur. The bug hides in Firefox's chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programmes or files are present on a machine, gaining information to use in perpetrating, more malicious exploit.
Normally, Firefox's chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to fully access more sensitive parts of a user's computer. The exploit only works if a user has made use of Firefox extensions that are "flat," this is, those that don't package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.
Mozilla bug squashers have rated the severity as normal and are working on a fix. In the meantime, Firefox users can protect themselves by using the NoScript extension. As long as an attacking website hasn't been added to a user's list of trusted sites, it should prevent the traversal attacks from working.
Keep up to date with industry and Nomensa news by signing up to Nomensa newsletters.
