Mozilla confirms Firefox proof of concept information leak vulnerability

Mozilla confirms Firefox proof of concept information leak vulnerability

Summary: Mozilla's security chief Window Snyder has confirmed a proof of concept information leak flaw in Firefox--even fully patched versions.Snyder confirmed the issue in a blog post.

SHARE:
TOPICS: Browser, Security
42

Mozilla's security chief Window Snyder has confirmed a proof of concept information leak flaw in Firefox--even fully patched versions.

Snyder confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any javascript file on a machine.

Technically, it's a chrome protocol directory transversal. Snyder explains:

When a chrome package is "flat" rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk. Many add-ons are packaged in this way.

A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk. Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack.

Some extensions may store information in Javascript files and an attacker may be able to retrieve those. Greasemonkey user scripts may be retrieved using this method. Session storage and preferences are not readable through this technique.

Mozilla gives the flaw an low severity rating for now, but add ons such as Download Statusbar and Greasemonkey are vulnerable. Look for this vulnerability to get patched low risk or not. Mozilla has opened a bug.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • The more I use firefox, the less impressed...

    I am. After install a third party firewall I discovered that it reports to Google (search disabled and fishing detection disabled) with every web site I visit.

    And now, the fact that someone can read what is on my hard drive after I visit the wrong web site is getting a low risk assessment is beyond me.

    Guess I was just as well to stick with IE!
    bjbrock
    • IE

      ...which is the most vulnerable simply because most-used. You could try Opera. It works rather well.
      --Glenn
      oregonnerd13
    • 6 one half dozen the other

      If security is what you are looking for I'd say both are just as bad or good depending on you point of view. The only real difference I see is Mozzilla is little quicker with the patches.

      If you really want security I'd suggest checking out other browsers. Not that they are more secure but they are less targeted and could actually be less secure.
      voska1
      • not true, because this flaw is known since August

        this flaw is known since August
        Resource Directory Traversal Vulnerability :
        https://bugzilla.mozilla.org/show_bug.cgi?id=394075

        Mozilla is sleeping!
        qmlscycrajg
        • versus...

          Versus at least one Windows vulnerability that have been around since windows 3.1...
          Amaroq
    • Reports to Google??

      No...that's not Firefox...that's the pages you are visiting!
      Techboy_z
    • Reports to Goolgle

      If you used NoScript, you would find that the web site itself is calling a javascript at Google-Analytics.com. This script is undoubtedly designed to report your choices and activities to Google. This is not a FireFox issue, it's a Google [i]wanting to know everything you[/i] do issue.

      IF you use FifreFox without NoScript and AddBlock Plus then you might as well use IE and let it report everything you do to MS's search engines....
      jacarter3
      • I just blocked outgoing traffic to

        all of the google IP's. I had to block about 6.
        bjbrock
        • Ya Know...

          As several had mentioned Noscript & Adblock can easily resolve these issues, as you can toggle who & what can run scripts, Flash, Javascript and/or even Java.
          (you are aware Java & Javascript are two different things)

          These two addons/extensions (among others) are just some of what make FireFox/IceWeasel/SeaMonkey IMHO better on any platform...

          If I may ask... you mentioned your firewall
          Which one? Software or hardware?

          If you really have the need and/or desire to run Windows,
          and are paranoid or just interested, Linux can be very useful, with as much or as little control/reporting as you like...As a separate device, to run a router/firewall/proxy/honeypot.
          Things like.
          IpCop,
          Smoothwall,
          ClarkConnect
          OpenWRT
          DD-WRT
          Even things like the Yoggie's

          Or a custom Linux config with things like
          IpTables
          Snort
          Squil
          Etc.......

          Tons of tools for those interested....

          But FF & Noscript is quick & simple.....
          LazLong
        • *sigh*

          Edit > Preferences > Security Tab...

          You probably have "Tell me if the site I'm visiting is a suspected forgery" turned on with the "Check by asking [Google] about each site I visit" selection active.

          You're probably blocking something you set in the first place.

          At least Mozilla confirms their vulnerabilities. Who knows how many hidden holes there are in IE that haven't been revealed yet.
          Amaroq
    • Plain-vanilla Firefox not vulnerable

      This is an issue with certain add-ons, if you don't install one that has this issue you've got no problem. If you use the NoScript extension, you're protected even if you have the problematic add-ons.

      An exploit wouldn't allow reading everything that's on your hard drive - [i]A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk.[/i]- that's a pretty limited vulnerability.

      In any case, it should be fixed very soon - which is the main security advantage to Firefox. With IE, you could wait months or years for a patch - and there's nothing like NoScript available for IE.
      Greenknight_z
  • RE: Mozilla confirms Firefox proof of concept information leak vulnerabilit

    I have been using Firefox now for the better part of three years I suspect, and there's been nothing that I remember that has caused me grief; whereas, previously using only IE, I couldn't think to count the number of crashes due to viruses and other "creepy thingies," that cause one to ask "Is this ever going to stop?"!!

    Now, I must also admit that I use the Sunbelt Firewal, and Sunbelt's Counterspy, which Cnet has noted a few weeks ago or less, is the very best in the business of keeping Malware of all kinds [except Rootkits] out of our computers, and before Cnet's admiration was poured out, I was telling everyone I could, get this Counterspy for $19.95, because it will take care of a multitude of problems you will find you don't have anymore!

    Now my Uncle owns the Company, but . . . . Just kidding you guys! At least [and I don't know if this is good or bad actually], Firefox did come out and speak about EVEN a low problem with their browser. I remember times when IE had major critical problems, and the only ones who noted that, were other professionals or hackers, who would note how bad this and that were! With Firefox, even with a little trouble, I am far ahead, BUT looking to see if IE8 has anything better to show!
    brotherjim01@...
    • To each his own I guess

      I have been using IE since I got my first Windows based computer, in 2000, and the last significant problem I had with intrusive baddies was prior to service pack 2 on XP. Since then nothing has crashed or caused a single glitch I have had to worry about.

      I say if FF works good for you, great. Use it. I have FF and Opera on my system, and everytime I use them for awhile I just feel like why am I bothering? If other browsers do it for you, thats fine, obviously no problem, continue on. On the other hand, despite IE's massive footprint on the internet it has, and continues to experience a very very low incidence of problematic behavior with those who use minimal common sense. And trust me, the wackos who insist on using zero common sense wont last as long on either FF or Opera if they get reckless, as a person using common sense with IE.
      Cayble
  • Mozilla is sleeping! This patch is known since August!

    this flaw is known since August
    Resource Directory Traversal Vulnerability :
    https://bugzilla.mozilla.org/show_bug.cgi?id=394075

    Mozilla is sleeping!...
    qmlscycrajg
    • Not the same bug

      If you read that bug, you should know that it doesn't allow copying files - so it's no danger.
      Greenknight_z
  • Mozilla is sleeping! This flaw is known since August!

    Mozilla is sleeping! This flaw is known since August!
    this flaw is known since August
    Resource Directory Traversal Vulnerability :
    https://bugzilla.mozilla.org/show_bug.cgi?id=394075

    Mozilla is sleeping!......
    qmlscycrajg
    • Qmiscycraig@...,

      why essentially the same posting three (3) times - # 4, 9, and 10 - on this thread ? Just a check to see whether we were paying attention, or are [b]Mozilla[/b] and [b]Firefox[/b] your favourite [i]b?tes noires[/b] ?...

      Henri
      mhenriday
    • Not excatly.

      I do see this bug is similar to 394075. Someone even appended to this but the similarity of this to 413250 and visa versa but there is no proof (right now) that this is same bug yet.
      NoScript is good way to stop this issue but bug fix should be part of main application without using extensions.
      phatkat
  • NoScript

    I use the NoScript add on for Firefox, and it blocks all kinds of java from running, even those that report back to Google (analytics).

    Is NoScript going to block this problem?
    paul.byford
    • Yes it prevents this problem

      NoScript prevents this problem from being exploited, no matter if the site is trusted or not:
      https://bugzilla.mozilla.org/show_bug.cgi?id=413250#c10
      Giorgio Maone