X

Mozilla fixes Firefox's flat add-on vulnerability

New update for the Firefox browser could be pushed out soon.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi

The security team at Mozilla has fixed the flat add-on vulnerability acknowledged last week. However, no decision has been made when Firefox 2.0.0.12 will be pushed out to users' desktops.

The vulnerability, known formally as the "chrome protocol directory transversal," occurs when a "flat" add-on is present. In this case, an extension to the browser stores its information within JavaScript files as opposed to JAR files. Window Snyder, Mozilla's chief of security, says the vulnerability is not within the browser, but in how the extensions are written.

An attacker exploiting this flaw may be able to retrieve data or profile a compromised system.

Extensions such as Greasemonkey and Download Statusbar were initially mentioned. However, the current list of affected extensions provided by Mozilla is much longer.