War of words over alleged Firefox vulnerability

War of words over alleged Firefox vulnerability

Summary: Researcher Ronald van den Heetkamp claimed that he had found a Firefox flaw just a few hours after Mozilla released its 2.0.

TOPICS: Security, Browser

Researcher Ronald van den Heetkamp claimed that he had found a Firefox flaw just a few hours after Mozilla released its update that patched a series of vulnerabilities. Mike Shaver, a Mozilla security staffer, begged to differ and said van den Heetkamp is dead wrong.

On Friday, van den Heetkamp predicted Firefox would release to fix his latest discovery.  Van den Heetkamp said that he discovered "another information leak" and talked up the fact his find came just hours after the latest Firefox update.

He wrote on his blog:

Because directory traversal through plugins is all nice and such, we don't need it. We can trick Firefox itself in traversing directories back. I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins.

In the vulnerability we make use of the 'view-source:' scheme that allows us to source out the 'resource:' scheme. With it, we can view the source of any file located in the 'resource:///' directory, which translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the file inside it and it becomes available to a new page's DOM, and so we are able to read all settings.

Van den Heetkamp acknowledged that his discovery is a proof of concept.

Shaver on his blog noted that van den Heetkamp has proof of nothing.

Shaver wrote:

Ronald van den Heetkamp has claimed that he found a vulnerability that affects all released versions of Firefox, and so the Mozilla security group and others have been investigating it, as we do all such claims.

In this case, it appears to me as though Ronald is simply mistaken. The files to which Ronald demonstrates access do not have the user's settings, though he claims otherwise. Those files (the user's data) are not stored in the Program Files hierarchy on Windows, or the equivalent on other operating systems. Instead, the preference files that he is showing in his "exploit" are ones that are defaults that are shipped with Firefox, and made freely available on the web. Again, these are not user settings, but defaults that are shipped with all copies of Firefox and contain no personal information.

Shaver and van den Heetkamp then go at it on the comments in Shaver's blog. I'm not going to pretend that I know the technical details well enough to pick a winner. But with reports of van den Heetkamp's find being circulated I figured it's worth putting both sides in one place.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Interesting...I don't know, but I suspect...

    I suspect the Mozilla guy is right this time. Since the just-fixed vulnerability dealt with exactly this issue, I find it hard to believe that the team did not test this very thing. I am betting that the "proof of concept" will *only* work with the default shipped file, and that once the browser is actually in use, the settings files created for a real user are not going to be accessible through illicit pathways. We shall see, though. If it should prove to be a flaw...my confidence in that team will be undermined, since it would mean a lack of vision/understanding on a vulnerability that they just focused on. I'm hoping the Mozilla guys will show us their quality here. ;)
  • Mozilla wrong if...

    you use mozilla.cfg to lock down preferences. This file contains the locked down preferences and is stored in the same folder as the executable.


    If this file is truly visible then it is definitely an information leak.
  • RE: War of words over alleged Firefox vulnerability

    Ever since Ryan left this column has gone downhill. Its no longer interesting and seems to lack the detail that Ryan's columns had.

    Ryan's over at www.eweek.com (zdnet sister company) doing pretty much the same as he did here.

    • Comparatively....

      ...what you deem to be a lack of interesting content is nothing compared to your lack of tact.
      • Disagreed.

        The content here (I can't call it writing) has gotten far too political. See the latest Blankenhorn blog about OOXML:


        Some of it is an ok explanation of industry leaders musing on the workings of the ISO process. But then he conveniently slips in a 1-2 punch against Bush. What the hell does that have to do with XML? Nothing, but he doesn't miss a chance to get political. That's not what most of us come here for. We come for tech news...we want technical details, not national politics. Just one example. The point being, these people at ZDNet have forgotten how to do good tech journalism.
        • Unfortunately that's not unique to ZDNet

          I see it all the time on the internet, TV or movies. Some people feel the need to push their agendas, even on the most un-political of forums. Totally unprofessional.
          hasta la Vista, bah-bie
      • Tact?

        I am about as subtle as a flying brick :P

  • Be part of the solution...

    and not part of the problem. Why do all of these hackers put these vulnerabilities on the net so any A$$#ole can try to get in. Why don't they work with the software suppliers like Mozilla to hap them fix thier code???? Confused
    • Fixing the Code

      As my brother is fond of saying, "That would be too much like 'right.'" Meaning that makes too much common sense to be normal human behavior. I suspect with a few of these guys, it's a case of being addicted to notoriety. "Hey lookit me! I found a flaw in a big time program! I'm a genius!" Mind you, that doesn't apply to everyone who finds security flaws.
  • RE: War of words over alleged Firefox vulnerability



    windows.... windows...

  • RE: War of words over alleged Firefox vulnerability

    What vulnerability. Last night Firefox updated like it always does when there's a 'vulnerability' problem and godd luck IE users, cuz you ain't getting one yet
  • RE: War of words over alleged Firefox vulnerability

    I'm gonna have to side with Mike Shaver on this one. Now, I'm no programmer by any means, but I know a thing or two about how Firefox saves configuration information. I have a Windows XP laptop that I use both at home and at work. To make sure I don't cross up my personal home data with my work data, I have created two separate accounts which I log into depending on where I am. I noticed that I can configure Firefox to function and behave differently in each account. How could this be if user info was store in C:\Program Files\Mozilla Firefox? The answer is simple, user adjustments are actually saved in C:\Documents and Settings\Username\Local Settings\Application Data\Mozilla\Firefox\Profiles. All user info is stored there, including cache, surf history, add-ons, themes, password settings, bookmarks, and so on. Thus, no matter how many user accounts I create, I can make Firefox different for each one respectively.
  • Defaults

    Default prefs are stored in the program directory, user prefs under %system root%\Documents and Settings\yoursusername\Application Data\Mozilla\Firefox\Profiles\randomstring.default (or similar in Mac / Linux). Dunno how the traversal is supposed to work, but wouldn't it be with the priveleges of the logged in user?
  • RE: War of words over alleged Firefox vulnerability

    Why bicker? Just fix it!
    • The Bickersons

      Well, the bickering is because they have yet to determine if there is really anything there that actually needs to be fixed.
  • RE: War of words over alleged Firefox vulnerability

    Children haven't learned to play nice yet !!
  • What, me worry.

    with FF, never.