Thursday, January 31, 2008

Mozilla Prepping Firefox Chrome Fix - But is it really fixed?

Via SecurityProNews.com -

Though Firefox users would only be vulnerable if a chrome package is flat, rather than contained in a jar, Mozilla plans a quick fix.

Until Firefox 2.0.0.12 starts hitting clients running automatic updates for the browser, Window Snyder, Firefox chief security officer, urged Add-On authors who use flat packaging for their work to switch to jar packaging.

Originally, the chrome protocol directory traversal received a rating of Low from the Firefox security group, Snyder's post said the rating has been pushed to High.

"An attacker can use this vulnerability to collect session information, including session cookies and session history. Firefox is not vulnerable by default," said Snyder.

A partial list of add-ons impacted by the issue included listings for Greasemonkey (greasemonkey-0.6.8.20070314.0-firefox) and Google Reader (google_reader_notifier-0.21-fx) among them. One commenter on Snyder's first post said the NoScript extension prevents chrome URIs from being loaded as scripts in content pages.

---------------------------

But is the problem really fixed?

My friend Gerry posted the following message on his blog yesterday....

Mozilla marked Bug ID 413250 as ‘RESOLVED FIXED’ on Tuesday. I got a chance to check out the fix today, and found that the fix is inadequate in stopping the attack. Here’s another demo that reads your session store, and like before, uses the Download Statusbar extension - steal_sessionstore2.html.

No comments:

Post a Comment