Mozilla patches Firefox latest protocol handling bug; other items

Mozilla patches Firefox latest protocol handling bug; other items

Summary: Mozilla has issued a patch for Firefox that fixes the "jar:" protocol handler issue.In an advisory on Monday, Mozilla said:The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format.

SHARE:
TOPICS: Browser, Security
3

Mozilla has issued a patch for Firefox that fixes the "jar:" protocol handler issue.

In an advisory on Monday, Mozilla said:

The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format.

Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.

The blogger at beford.org noted that redirects confused Mozilla browsers about the true source of the jar: content: the content was wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect even if it didn't allow uploads. A published proof-of-concept demonstrates stealing the GMail contact list of users logged-in to GMail.

Ryan reported the details on this flaw, which has been around since February, earlier.

Also in Firefox 2.0.0.10 Mozilla fixed a few other items, including a referer-spoofing flaw and memory corruption vulnerabilities. In all, Firefox fixed six vulnerabilities.

Ryan is on vacation. 

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Yes, and the fix broke Java

    I installed the update last night. Websites using java no longer worked in FF. I'm going back to the previous version.
    DaffyDuck
    • DaffyDuck,

      [b]FF 2.0.0.10[/b] works fine for me. It doesn't break [b]Java[/b] sites on either [b]XP[/b] or [b]Gutsy[/b]....

      Henri
      mhenriday
  • RE: Mozilla patches Firefox latest protocol handling bug; other items

    Not to check fire wall and ensure is set in a proper manner one would have to
    be a fool

    an intelligent or half intelligent person looks for these things when a new
    system comes along
    FROM DOWN UNDER