• On TV.com: New TV sex symbol: Vintage black PORSCHE
advertisementGet Smart about Business Spending
January 23, 2008 10:45 AM PST

Mozilla confirms low-risk Firefox flaw

by Robert Vamosi
  • Font size
  • Print
  • 3 comments

There's a directory traversal vulnerability in the chrome protocol scheme within Firefox 2. Proof of concept code for this was first posted to the Internet on January 19, 2008. On Tuesday, Mozilla security chief Window Snyder confirmed that the flaw affects fully patched versions of the Firefox browser.

When a "flat" add-on is present, an extension which stores its information within Javascript files as opposed to .jar files, an attacker exploiting this flaw may be able to retrieve data or profile a compromised system. Extensions such as Greasemonkey and Download Statusbar may be affected.

On the Mozilla security blog site Snyder wrote:

"When a chrome package is 'flat; rather than contained in a .jar, the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk. Many add-ons are packaged in this way.

"A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk. Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack."

Mozilla, which considers this threat low risk, has opened a bug.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Browsers and extensions,

Security

Tags:

security,

Mozilla,

Window Snyder,

Firefox,

Greasemonkey

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
After 5 years, Firefox faces new challenges
Firefox 3.5.4 closes security holes
Firefox blocks insecure .Net add-on--awkwardly
Is Mozilla's contributions program working?
Firefox releases critical update, 3.5.4
Firefox's future features: 3.6, 3.7, and 4.0
Mozilla pushes for fast move to Firefox 3.6
Mozilla's messaging story gains credibility
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
Download Statusbar updated
by pcabellor January 23, 2008 1:01 PM PST
At least the Download Statusbar extension has been updated (0.9.5.3) repackaged as .jar file so it should not longer be affected. To update, users should
Reply to this comment
Download Status Bar
by Tergon January 23, 2008 1:08 PM PST
Hurray for Open Source and Community Development. At least one JS Add-on has been updated. Go to add-ons and update your add-ons.

See below for comment From Download statusbar developer

"Comment #5 Devon Jensen 2008-01-22 23:59:24 PST
Note:
I just released a JARred version of Download Statusbar 0.9.5.3

If you want to test this bug in FF2, you can use Download Statusbar 0.9.5.2
https://addons.mozilla.org/en-US/firefox/addons/versions/26

(Yes, I realize that this is only one of many 'flat' extensions but considering
it is the main example and the large user base, I thought it best to JAR it up
for now)

I prefer the flat file structure so I hope this can get fixed -"
Reply to this comment
Here's what I don't get....
by Robbo75 January 30, 2008 11:48 AM PST
Why do almost all computers (yes, I know there are some UberDorks out there who already do this) use C: as the name for the hard-drive? All I need to do is put c:\directory\filename.exe in a path and it will run on almost every computer. It's so rare that a user will ever do anything root level in DOS (UberDorks, we know you run all your apps in the base operating system. We're proud of you. Now go flame people on the Hobbit movie forum).

Anyway, why don't computers use randomized strings for the hard-drive name? Wouldn't it solve a lot (but obviously not all) of security issues?
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

A CNET Conversation with Eric Schmidt

CNET's Tom Krazit and Molly Wood sit down with Google CEO Eric Schmidt to discuss the future of Android, the Chrome OS, the problem of real-time search indexing, and more.

Verizon tests sending RIAA copyright notices

The No. 2 phone company, known for its reluctance to intervene in antipiracy cases, strikes an agreement to forward copyright notices on behalf of the music industry.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET