Belated Firefox patch coming for (another) protocol handling bug

Belated Firefox patch coming for (another) protocol handling bug

Summary: Mozilla security chief Window Snyder says the "jar:" protocol handler issue that currently haunts Firefox will be fixed very soon in the next refresh of the browser.The problem (see previous coverage) is that Firefox's "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive.

SHARE:
TOPICS: Browser, Security
11

Mozilla working on Jar protocol fixMozilla security chief Window Snyder says the "jar:" protocol handler issue that currently haunts Firefox will be fixed very soon in the next refresh of the browser.

The problem (see previous coverage) is that Firefox's "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt).

[ ALSO SEE: Firefox feature introduces danger ]

On the official Mozilla security blog, Snyder explains the vulnerability and attack vector:

Firefox supports the Java Archive URI scheme that allows the addressing of the contents of zip archives. An attacker may upload a zip format file to a trusted site that allows users to upload content. The victim clicks on a link on the attacker’s website or in an email that links to the uploaded content on a trusted site. Since the content is loaded from the trusted site, content from the zip file runs in the context of the trusted site. This may allow the attacker to access information stored on the trusted site without the victim’s knowledge.

There is a second issue that if a zip archive is loaded from a site through a redirect, Firefox uses the context from the initiating site. This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site.

There is a proof of concept that demonstrates these issues in an attack against GMail that allows the attacker access to the victim’s stored GMail contacts.

The GMail proof-of-concept is available here.

Starting with Firefox 2.0.0.10, which is currently in testing, the browser will only support the jar scheme for files that are served with the correct application/java-archive MIME type. Firefox will also adjust the security context to recognize the final site as the source of the content, Snyder said.

Snyder did not say why it took nearly eight months to address this vulnerability, especially since it was found internally back in February by Mozilla's Jesse Ruderman.

Also see Giorgio Maone's detailed description of this issue, which includes a criticism of my previous mitigation advice and Maone's own workaround.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • The noscript workaround is a little intrusive...

    to be sure. It appears to prevent the attack but it makes the browser user do a fair bit of work. I'm not sure how viable that is in the real world. A fix is the correct way to address this. I wonder how they come up with fix priorities ?

    I do agree with the statement that you should have reported the workaround though.
    magcomment
    • NoScript

      magcomment wrote:

      [i]The noscript workaround is a little intrusive, to be sure. It appears to prevent the attack but it makes the browser user do a fair bit of work.[/i]

      I don't find NoScript to be overly instrusive; less so than Vista's "User Access Control" certainly. At least with NoScript, once you've whitelisted a site you don't have to re-whitelist it every friggin' time.

      I suspect most people (like me) have a handful of sites they visit on a regular basis. Once you've told NoScript how to deal with those sites, it's out of your face.

      When you go to an unknown site, NoScript will block the scripts there, but you can selectively run them if you need to do so. You'll find a lot of those scripts are just running obnoxious ads; no loss missing those IMHO.

      And BTW, the issue seems to be fixed in the latest nightly build. I just tried the 11/19 build and the proof of concept failed for me.
      JDThompson
  • RE: Belated Firefox patch coming for (another) protocol handling bug

    when will they fix the memory leak
    FROM DOWN UNDER
  • NoScript = welcome in the ancient plain text world

    NoScript = welcome in the ancient plain text world
    NoScript is not a praticable solution.
    qmlscycrajg
    • NS "not practicable"

      I simply cannot imagine a web user actually believing that statement. Web designers who make money from selling the latest geegaw or eye-candy might be frustrated by NS, as would those attempting to slide something past the average user.

      NS give me control. I decide what I want from a website and what I will allow any given site to do on my system. I like that.

      NTP
      revnomad
  • NoScript is basically useless.

    peaple complains about UAC intrusion, but the same people adore NoScript. NoScript is basically useless.
    qmlscycrajg
    • I won't say that

      I won't say it's useless but it's surely not for everyone.

      _r
      Ryan Naraine
    • Guess you are one of the lazy folks

      we hear about. NoScript is pretty easy to use and not as intrusive as you make it sound. I use it as so all others I have educated about it. Some of use would rather be annoyed once for 10 seconds to make a decision that to surf unprotected.

      From the looks of your post, you are:

      1. A Microsoft shill posing to discredit the plug-ins and Firefox.
      2. Incapable of figuring out how to use NoScript (it's really easy!)
      3. Ticked off because you didn't think of it first.
      4. A habitual whiner with nothing better to do than to find the negative to everything nice.

      Which is it? ]:) Inquiring minds don't really care.
      Linux User 147560
      • The biggest problem with any open source?

        Attitudes like this...


        "What do you mean you'd rather start a car by turning a key as opposed to getting out and cranking it by hand? You must be:

        1. A shill for the electric starter manufacturers
        2. Incapable of figuring out how to hand crank your car
        3. Ticked off because you didn't invent the crank
        4. A habitual whiner with nothing better to do than to refuse to accept the poor alternatives you're offered."
        ejhonda
        • Not really... more like

          the inability to understand laziness or tolerate it. ]:)
          Linux User 147560
        • 5. A goat

          That refuses to run with the herd of sheep.

          Won't even jump off the cliff with them,
          either.
          Ole Man