Mozilla to Patch Firefox Against Another Protocol Handler Flaw
Mozilla Corp. has decided to patch Firefox to fix a vulnerability in its protocol handler, said the company's Chief Security Executive, Window Snyder, on November 16, 2007. The decision comes after security researchers demonstrated that the nine-month old flaw was more serious than what was earlier thought.
The flaw involves another URI (Uniform Resource Identifier) protocol handler bug. Researchers discovered this cross-site scripting flaw in February 2007 but reported it to the Bugzilla database of Mozilla only in October.
The problem with the Firefox browser is that its "jar:" protocol handler is not designed to validate the Multipurpose Internet Mail Extensions (MIME) category of contents stored on an archive. These contents are therefore validated in the site that hosts the archive. Here, anyone can exploit the process to launch cross-site scripting attacks against Websites that let a visitor to upload files like .png, .doc, .zip, .txt and .odt.
Independent researcher Petko Petkov said that it is possible to launch cross-site scripting attacks against any application that permits uploading of ZIP or jar files. ComputerWorld published this in news on November 18, 2007. Targets that are potentially vulnerable to this kind of attack include programs like document sharing systems, Web mail clients, collaboration systems and all applications that are Web 2.0 based, Petkov said.
Further, an attacker could use this flaw to upload a zip file to a legitimate site that serves to upload material by a user. This clearly means that the attacker can access information of a victim who has stored his content on the site while the victim remains unaware of it.
There is another issue that relates to loading of a zip format archive from a Website by using a redirect. In such a situation, Firefox takes help of the site that initiates the loading. Here too, an attacker could exploit a site that features an open redirect and host material on his own malware-embedded site that would automatically run with the consent of the site holding the redirect.
In one other instance, Mozilla had fixed another URI protocol handler flaw - the firefoxurl flaw.
Related article: Mozilla Rules Out Bug in Its Firefox
» SPAMfighter News - 10-12-2007