Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Firefox Bug Threatens to Disclose Information

Mozilla's Chief of Security, on January 22, 2008, confirmed the presence of vulnerability in Firefox that attackers could exploit to launch a thorough assault.

According to Window Snyder, Chief Security Officer at Mozilla Corp, the flaw resides in the chrome protocol of the browser. She said this after the vulnerability got reported and a proof-of-concept exploit was publicly posted. ComputerWorld published this in news on January 23, 2008. 'Chrome' is a term Firefox uses for the user interface of the browser.

On security blog website of Mozilla, Snyder wrote that for a chrome package that is flat instead of being in a jar, the traversal directory facilitates the escape of the extensions directory along with reading files on the disk in a known location. In this way, many functions could be added on to the package. ZDNet published this in news on January 23, 2008.

Snyder further wrote that an attacking page that is visited is capable of loading scripts, stylesheets or images from predictable regions of the computer disk. Attackers, with this method, could determine the existence of files that could reveal information regarding which software was installed. Then that information could be utilized to prepare the computer for another type of attack.

While Mozilla at present rated this vulnerability as less severe, some add-ons or extensions like Greasemonkey and Download Statusbar might save information in JavaScript-written files, which an attacker could successfully retrieve. In order not to allow this exploitation, Mozilla has released updated versions of the extensions.

Talking on Bugzilla, Devon Jensen said that he recently issued a JARed edition of Download Statusbar ComputerWorld published this.

Meanwhile, users of Firefox could install one other add-on, the widely used NoScript extension that traps exploits irrespective of the extension installed or updated.

Albeit Snyder regarded the bug threat with low importance, researcher Gerry Eisenhauer who exposed the vulnerability commented the threat could be even severe, reported ComputerWorld on January 23, 2008.

Eisenhauer said that the threat from the bug appears interesting with bigger potential. However, right now it was only one of information disclosure, he said through a write-up on January 19, 2008.

Related article: Firefox Gets Vulnerable With JavaScript

» SPAMfighter News - 2/4/2008

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page