Mozilla confirms low-risk Firefox flaw

A directory reversal within "flat" extensions could lead to system profile attacks.

There's a directory traversal vulnerability in the chrome protocol scheme within Firefox 2. Proof of concept code for this was first posted to the Internet on January 19, 2008. On Tuesday, Mozilla security chief Window Snyder confirmed that the flaw affects fully patched versions of the Firefox browser.

When a "flat" add-on is present, an extension which stores its information within Javascript files as opposed to .jar files, an attacker exploiting this flaw may be able to retrieve data or profile a compromised system. Extensions such as Greasemonkey and Download Statusbar may be affected.

On the Mozilla security blog site Snyder wrote:

"When a chrome package is 'flat; rather than contained in a .jar, the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk. Many add-ons are packaged in this way.

"A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk. Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack."

Mozilla, which considers this threat low risk, has opened a bug.

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    Nissan gives new Murano bold style (pictures)
    Top great space moments in 2014 (pictures)
    This is it: The Audiophiliac's top in-ear headphones of 2014 (pictures)
    ZTE's wallet-friendly Grand X (pictures)
    Lenovo reprises clever design for the Yoga Tablet 2 (Pictures)
    Top-rated reviews of the week (pictures)