Flaw reported in updated Firefox

Flaw reported in updated Firefox

Summary: A proof-of-concept vulnerability has been reported in the latest version of Mozilla's web browser

TOPICS: Security

A potential flaw has been reported in the latest version of Mozilla's Firefox web browser, version

Vulnerability researcher Ronald van den Heetkamp published a directory traversal flaw in Firefox version on Friday, hours after the release of the latest version of the browser.

A directory traversal flaw enables an attacker to potentially access another user's remote files due to insufficient security validation. The alleged flaw found by van den Heetkamp makes use of the Firefox "view-source:" feature.

"In the vulnerability we make use of the 'view-source:' scheme that allows us to source out the 'resource:' scheme," wrote van den Heetkamp. "With it, we can view the source of any file located in the 'resource:///' directory, which translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the file inside it and it becomes available to a new page's DOM, and so we are able to read all settings."

The vulnerability researcher claimed the proof-of-concept flaw enables an attacker to read preferences in Firefox, or to open files stored in the Mozilla program files directory. A workaround is to install a NoScript plugin.

Read this


Special report: Anatomy of a hack attack

We recreate a typical attack on two large organisations

Read more

Mozilla released Firefox version on Friday, patching 10 security vulnerabilities, including a different directory traversal flaw in Firefox's "chrome" user interface that had been confirmed by Window Snyder, Mozilla's head of security, in January.

Mozilla Europe had not responded to a request for comment at the time of writing.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion