«
»
30th January Comments

Mozilla ups unpatched Firefox flaw to ‘high severity’; Preps fix

Posted on January 30th, 2008 at 11:35 am

Mozilla has given a proof of concept Firefox vulnerability a “high severity” rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder.

Snyder said the vulnerability will be patched with Firefox 2.0.0.12, which will be pushed out “shortly.”

On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a machine. This “chrome protocol directory transveral” is in play whenever there are “flat” files–common in add ons–are installed. Chances are good that most Firefox users will have at least a few of these add ons installed. That’s a lot of data leakage.

The list of the add-ons affected is long, but Snyder noted it was only a partial list. A few add-ons that stuck out,

* ajax_yahoo_mail_viamatic_webmail_-0.9-fx+fl
* quickjava-0.4.2-fx
* open_java_console-1.5-fx
* firefoxit-0.1.2-fx+fl
* ie_view_lite-1.2-fx
* extended_statusbar-1.2.4-fx
* sourceforge_direct_download-0.4-fx
* no_new_window-0.1-fx
* farky-1.1.3-fx
* livejournal_friends_checker-0.8.1.1-fx
* termblaster_firefox_edition_-1.3.7-fx
* myurlbar_a-2006.04.19-fx
* pingpong-0.7-fx
* print_print_preview-0.3-fx
* world_of_warcraft_realm_status_tool-0.2-fx
* settlers_3d_connector_user_info-0.1-fx
* gmail_skins-0.9.8-fx
* firephish_anti-phishing_extension-0.1.1-fx
* bookmark_sync_and_sort-1.0.6-fx
* inline_blocked_image_view-1.1-fx
* myspace_friend_renamer-.75-fx
* facebook_o-state_cowboy_style-1.2-fx
* flickrgethighrez-2007.02.06-fx
* refspoof-0.9.1-fx
* arfcom_ad_blocker-1.0-fx
* downloads_in_tab-0.0.2-fx
* adwords_keyword_multiplier-0.1-fx
* livejournal_addons-5.2.7-fx

In other words folks a ton of addons and you might want to check out and see what of those you are running and shut them down for a while, Baldy

RSS 2.0 Comment. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.