January 30th, 2008

Mozilla ups unpatched Firefox flaw to 'high severity'; Preps fix

Posted by Larry Dignan @ 4:50 am

Categories: Browsers, Data theft, Exploit code, Firefox, Hackers, Mozilla, Open source, Patch Watch, Vulnerability research

Tags: Mozilla Firefox, Vulnerability, Severity, Mozilla Corp., Add-on, Flaw, Window Snyder, Web Browsers, Security, Internet

Mozilla has given a proof of concept Firefox vulnerability a “high severity” rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder.

Snyder said the vulnerability will be patched with Firefox 2.0.0.12, which will be pushed out “shortly.”

On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a machine. This “chrome protocol directory transveral” is in play whenever there are “flat” files–common in add ons–are installed. Chances are good that most Firefox users will have at least a few of these add ons installed. That’s a lot of data leakage.

Mozilla initially gave the flaw a low severity rating, but changed its mind after further investigation.

Snyder writes:

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default. If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

The list of the add-ons affected is long, but Snyder noted it was only a partial list. A few add-ons that stuck out.

• ajax_yahoo_mail_viamatic_webmail_-0.9-fx+fl
• quickjava-0.4.2-fx
• open_java_console-1.5-fx
• firefoxit-0.1.2-fx+fl
• ie_view_lite-1.2-fx
• extended_statusbar-1.2.4-fx
• sourceforge_direct_download-0.4-fx
• no_new_window-0.1-fx
• farky-1.1.3-fx
• livejournal_friends_checker-0.8.1.1-fx
• termblaster_firefox_edition_-1.3.7-fx
• myurlbar_a-2006.04.19-fx
• pingpong-0.7-fx
• print_print_preview-0.3-fx
• world_of_warcraft_realm_status_tool-0.2-fx
• settlers_3d_connector_user_info-0.1-fx
• gmail_skins-0.9.8-fx
• firephish_anti-phishing_extension-0.1.1-fx
• bookmark_sync_and_sort-1.0.6-fx
• inline_blocked_image_view-1.1-fx
• myspace_friend_renamer-.75-fx
• facebook_o-state_cowboy_style-1.2-fx
• flickrgethighrez-2007.02.06-fx
• refspoof-0.9.1-fx
• arfcom_ad_blocker-1.0-fx
• downloads_in_tab-0.0.2-fx
• adwords_keyword_multiplier-0.1-fx
• livejournal_addons-5.2.7-fx

Other links of note about this problem:

• Discussion about flat add ons.
• Mozilla’s bug.