Sales
0161 215 3700
0800 458 4545
Support
0800 230 0032
0161 215 3711

Mozilla security chief confirms data leakage bug in Firefox

Mozilla security chief confirms data leakage bug in Firefox

Mozilla's chief of security has confirmed a vulnerability that could cause fully patched versions of Firefox to expose a user's private data.

The confirmation, which was posted here by Mozilla's Window Snyder, follows the release of proof-of-concept code by researcher Gerry Eisenhaur.

Click here to find out more!

The bug resides in Firefox's chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

Normally, Firefox's chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user's computer.

The exploit only works if a user has made use of Firefox extensions that are "flat," this is, those that don't package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

Mozilla bug squashers have rated the severity as normal and are working on a fix. In the meantime, Firefox users can protect themselves by using the NoScript extension.

As long as an attacking website hasn't been added to a user's list of trusted sites, it should prevent the traversal attacks from working


print this article

Return to internet news headlines
View Internet News Archive

Share with: