Firefox feature introduces danger

Summary:Software engineers at Mozilla are working on a fix for another protocol handing issue affecting the company's flagship Firefox browser. Code execution attacks are possible under certain conditions.

Firefox feature introduces danger
Software engineers at Mozilla are working on a fix for another protocol handing issue affecting the company's flagship Firefox browser.

The flaw, originally reported in February 2007 and independently discovered by Petko D. Petkov, turns a little-used Firefox feature into a security risk that could lead to cross-site scripting attacks.

Secunia explains:

The problem is that the "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt).

The "jar:" protocol is designed to extract content from compressed files.

A vulnerability note from US-CERT suggests there may code execution attack scenario:

This vulnerability may allow an attacker to execute cross-site scripting attacks on sites that allow users to upload pictures, archives or other files. If the user opens the malicious URI with a Firefox Addon, an attacker might be able to execute arbitrary code.

The bug has been confirmed in fully patched versions of the open-source browser. In the absense of a patch, Firefox users should avoid follow untrusted "jar:" links on suspicious Web sites.

ALSO SEE:

Protocol abuse adds to Firefox, Windows security woes

More Firefox URI handling security hiccups

Command injection flaw found in IE: Or is it Firefox?

Microsoft should block that IE-to-Firefox attack vector

Mozilla caught napping on URL protocol handling flaw

Topics: Browser

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.