February 11th, 2008
War of words over alleged Firefox vulnerability
Researcher Ronald van den Heetkamp claimed that he had found a Firefox flaw just a few hours after Mozilla released its 2.0.0.12 update that patched a series of vulnerabilities. Mike Shaver, a Mozilla security staffer, begged to differ and said van den Heetkamp is dead wrong.
On Friday, van den Heetkamp predicted Firefox would release 2.0.0.13 to fix his latest discovery. Van den Heetkamp said that he discovered “another information leak” and talked up the fact his find came just hours after the latest Firefox update.
He wrote on his blog:
Because directory traversal through plugins is all nice and such, we don’t need it. We can trick Firefox itself in traversing directories back. I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins.
In the vulnerability we make use of the ‘view-source:’ scheme that allows us to source out the ‘resource:’ scheme. With it, we can view the source of any file located in the ‘resource:///’ directory, which translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the file inside it and it becomes available to a new page’s DOM, and so we are able to read all settings.
Van den Heetkamp acknowledged that his discovery is a proof of concept.
Shaver on his blog noted that van den Heetkamp has proof of nothing.
Shaver wrote:
Ronald van den Heetkamp has claimed that he found a vulnerability that affects all released versions of Firefox, and so the Mozilla security group and others have been investigating it, as we do all such claims.
In this case, it appears to me as though Ronald is simply mistaken. The files to which Ronald demonstrates access do not have the user’s settings, though he claims otherwise. Those files (the user’s data) are not stored in the Program Files hierarchy on Windows, or the equivalent on other operating systems. Instead, the preference files that he is showing in his “exploit” are ones that are defaults that are shipped with Firefox, and made freely available on the web. Again, these are not user settings, but defaults that are shipped with all copies of Firefox and contain no personal information.
Shaver and van den Heetkamp then go at it on the comments in Shaver’s blog. I’m not going to pretend that I know the technical details well enough to pick a winner. But with reports of van den Heetkamp’s find being circulated I figured it’s worth putting both sides in one place.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
