Mozilla confirms Firefox proof of concept information leak vulnerability

Summary:Mozilla's security chief Window Snyder has confirmed a proof of concept information leak flaw in Firefox--even fully patched versions.Snyder confirmed the issue in a blog post.

Mozilla's security chief Window Snyder has confirmed a proof of concept information leak flaw in Firefox--even fully patched versions.

Snyder confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any javascript file on a machine.

Technically, it's a chrome protocol directory transversal. Snyder explains:

When a chrome package is "flat" rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk. Many add-ons are packaged in this way.

A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk. Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack.

Some extensions may store information in Javascript files and an attacker may be able to retrieve those. Greasemonkey user scripts may be retrieved using this method. Session storage and preferences are not readable through this technique.

Mozilla gives the flaw an low severity rating for now, but add ons such as Download Statusbar and Greasemonkey are vulnerable. Look for this vulnerability to get patched low risk or not. Mozilla has opened a bug.

Topics: Browser, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.