Mozilla ups unpatched Firefox flaw to 'high severity'; Preps fix

Summary:Mozilla has given a proof of concept Firefox vulnerability a "high severity" rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder.Snyder said the vulnerability will be patched with Firefox 2.

Mozilla has given a proof of concept Firefox vulnerability a "high severity" rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder.

Snyder said the vulnerability will be patched with Firefox 2.0.0.12, which will be pushed out "shortly."

On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a machine. This "chrome protocol directory transveral" is in play whenever there are "flat" files--common in add ons--are installed. Chances are good that most Firefox users will have at least a few of these add ons installed. That's a lot of data leakage.

Mozilla initially gave the flaw a low severity rating, but changed its mind after further investigation.

Snyder writes:

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default. If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

The list of the add-ons affected is long, but Snyder noted it was only a partial list. A few add-ons that stuck out.

  • ajax_yahoo_mail_viamatic_webmail_-0.9-fx+fl
  • quickjava-0.4.2-fx
  • open_java_console-1.5-fx
  • firefoxit-0.1.2-fx+fl
  • ie_view_lite-1.2-fx
  • extended_statusbar-1.2.4-fx
  • sourceforge_direct_download-0.4-fx
  • no_new_window-0.1-fx
  • farky-1.1.3-fx
  • livejournal_friends_checker-0.8.1.1-fx
  • termblaster_firefox_edition_-1.3.7-fx
  • myurlbar_a-2006.04.19-fx
  • pingpong-0.7-fx
  • print_print_preview-0.3-fx
  • world_of_warcraft_realm_status_tool-0.2-fx
  • settlers_3d_connector_user_info-0.1-fx
  • gmail_skins-0.9.8-fx
  • firephish_anti-phishing_extension-0.1.1-fx
  • bookmark_sync_and_sort-1.0.6-fx
  • inline_blocked_image_view-1.1-fx
  • myspace_friend_renamer-.75-fx
  • facebook_o-state_cowboy_style-1.2-fx
  • flickrgethighrez-2007.02.06-fx
  • refspoof-0.9.1-fx
  • arfcom_ad_blocker-1.0-fx
  • downloads_in_tab-0.0.2-fx
  • adwords_keyword_multiplier-0.1-fx
  • livejournal_addons-5.2.7-fx

Other links of note about this problem:

Topics: Browser, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.