Mozilla ups unpatched Firefox flaw to 'high severity'; Preps fix

Mozilla ups unpatched Firefox flaw to 'high severity'; Preps fix

Summary: Mozilla has given a proof of concept Firefox vulnerability a "high severity" rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder.Snyder said the vulnerability will be patched with Firefox 2.

TOPICS: Browser, Security

Mozilla has given a proof of concept Firefox vulnerability a "high severity" rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder.

Snyder said the vulnerability will be patched with Firefox, which will be pushed out "shortly."

On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a machine. This "chrome protocol directory transveral" is in play whenever there are "flat" files--common in add ons--are installed. Chances are good that most Firefox users will have at least a few of these add ons installed. That's a lot of data leakage.

Mozilla initially gave the flaw a low severity rating, but changed its mind after further investigation.

Snyder writes:

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default. If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

The list of the add-ons affected is long, but Snyder noted it was only a partial list. A few add-ons that stuck out.

  • ajax_yahoo_mail_viamatic_webmail_-0.9-fx+fl
  • quickjava-0.4.2-fx
  • open_java_console-1.5-fx
  • firefoxit-0.1.2-fx+fl
  • ie_view_lite-1.2-fx
  • extended_statusbar-1.2.4-fx
  • sourceforge_direct_download-0.4-fx
  • no_new_window-0.1-fx
  • farky-1.1.3-fx
  • livejournal_friends_checker-
  • termblaster_firefox_edition_-1.3.7-fx
  • myurlbar_a-2006.04.19-fx
  • pingpong-0.7-fx
  • print_print_preview-0.3-fx
  • world_of_warcraft_realm_status_tool-0.2-fx
  • settlers_3d_connector_user_info-0.1-fx
  • gmail_skins-0.9.8-fx
  • firephish_anti-phishing_extension-0.1.1-fx
  • bookmark_sync_and_sort-1.0.6-fx
  • inline_blocked_image_view-1.1-fx
  • myspace_friend_renamer-.75-fx
  • facebook_o-state_cowboy_style-1.2-fx
  • flickrgethighrez-2007.02.06-fx
  • refspoof-0.9.1-fx
  • arfcom_ad_blocker-1.0-fx
  • downloads_in_tab-0.0.2-fx
  • adwords_keyword_multiplier-0.1-fx
  • livejournal_addons-5.2.7-fx

Other links of note about this problem:

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Since one cannot remove IE, ....

    ... the loading of Firefox increases your security exposure. That being said, people running Firefox are less secure then those sticking with IE.
    • Message has been deleted.

    • For a last note , Mirosoft is put on notice again .

      Seems as the folks at ZDNET seem to be forgetting many stories like this about Microsoft products . It's true then , ZDNET is seriously biased and will do anything to protect its (ass)ets .

      New attack proves critical Windows bug 'highly exploitable'

      Vista kernel protections no help here, say researchers
      • It seems you are the only one showing bias.

        That story was covered here and has nothing to do with this article. Try staying on subject.
        • Good catch

          Perhaps he should change his name to "Beyond OS X, a Leopard is blind"?
      • Please don't....

        ..make someone have to post links to all the hundreds of ZD Net articles that have mentioned flaws in Microsoft products over the last few years. Its the same old story - any time anyone publishes something negative about Microsoft, the "I hate Microsoft" crowd cheers, ra, ra ra. But when something negative is published about your open source wonder child, the poster is obviously "seriously biased" - even though all Mr. Dignan is doing is giving some basic information and pasting in a couple of quotes from Mozilla's security guy.

        I think most of us are getting sick to death of every article/posting rapidly devolving into a Microsoft Vs. Open Source death struggle. It often seems like people are arguing their religion rather than competing licensing models.
        • amen to that

          Patches happen folks...
          Larry Dignan
        • Greate Post.

          Well said...
          • Yes, abide by it No_Axe

            one of the biggest Zdnet trolls
          • The Troll Couldn't Hear You

            His ear wax was clogging his hairy troll ears up.
        • Isn't that the norm

          If it's a non Microsoft product with a security flaw you have the Microsoft Zealots charging in to point fingers and make stupid comments that are really irrelevant to the whole discussion. On the opposite side of the spectrum you get Microsoft product with a flaw and you get the Non Microsoft Zealots doing the exact same thing.

          What really gets me is when these people pretending to take the high road when it is them that are the problem. They know who they are, no need to mention names.
        • Malware is Terrorism

          Malware is the software bomb of Software Terrorists.

          You ZDnet guys can be pretty slow. Yes it is religious and like all other religions there is only one right way. And it is more important than simple life and death to many people.

          Thus all the long arguments and rehashes ARE the story. ZDnet is just on the wrong side and poor journalists for not recognizing that when the revolution comes they will be the first agaisnt the wall. 42!!!! Open Source. Foam. Foam. Froth. Mad Dog. If that is way it takes.
          • Sorry I can't help seeing both sides

            Open Source does have the ultimate winning point. It is FREE. Someday that will be the nail in MS coffin at least for general purpose users. Friendiless and application support (esp. games) are the controlling issues as to when that nail driven home.

            So really flaws is somewhat moot point for debate while we wait.

            In the meantime Windows has more polished applications and hosts those applications more easily (especially games) for casual users. Sorry but 20 hours of research per month on installing apps is not casual Linux hobbyists.
        • Hear Hear

          hear hear, well said sir.

          The gigabytes of useless and unnecessary M$ bashing on blogs would probably feed the poor and cloth the naked.

          And it goes ON AND ON AND ON ..... Its almost impossible to see any useful comment for the gash, drivel.

          No software is bug free, the larger the code base the more bugs there will be!
      • If you read the story you would have found out

        that this exploit also works on the almighty Vista . So much for the indestructable Vista Kernel .
        • I get it.

          Apple doesn't have a real browser, beyond it's toy offering with possibly worse security than QT, which is known worldwide to be the worst security nightmare ever written for a media player. <br>
          So you come here to post jealous rants about IE and Vista, which the blog is not about. Of course you would. Jealousy runs deep in your type and you hate success from those you don't back. You do realize that is a positive sign of mental instability, or maybe you wouldn't. You're too far gone to recognize reality.
        • Haven't you read the others posting to you on topic

      • That's just proves...

        ...That nothing is perfect.
        Windows Vista's security is tight, But not perfect.
        Same for Firefox and even Linux.
        I've seen a lot of negative articles about Microsoft on ZDNet.
        I've seen many articles regarding this TCP/IP flaw on ZDNet.
        Let's hope that Mozilla will release a security patch soon and nobody will get affected by the flaw.
        (Though I'm not a Mozilla/Firefox user)
      • What about the Leopard/Tiger flaw they're ignoring?
        • WOW. And Apple calls the fix an enhancement.. not surprised. <nt>