Mozilla ups Firefox bug threat, slates fix for Feb. 5
Mozilla Corp. bumped
up the threat ranking for an unpatched Firefox bug to "high" Tuesday,
but promised a fix is coming in Version 2.0.0.12, now slated for release on
Feb. 5.
The company's head of security, Window Snyder, confirmed that the browser,
when running any of more than 600 add-ons, can be exploited to steal "session
information, including session cookies and session history."
Snyder's acknowledgment followed an update by Gerry Eisenhaur, the researcher
who first reported the Firefox problem. "There seems to be some confusion
about what exactly the severity of this vulnerability is," Eisenhaur said
on his hiredhacker.com blog. "This is not a chrome privilege escalation,
but it [is] worse than just leaking some variables. I created another demo to
read the sessionstore.js file. This will display information regarding your
current session, [including] windows, tabs, cookies, etc."
Last week, when Eisenhaur broached the subject, Mozilla rated the threat as
only "low," but began working on a patch. Yesterday, Snyder said a
patch would be included with Firefox 2.0.0.12, a security update currently scheduled
for a Feb. 5 release.
"Firefox is not vulnerable by default," Snyder added Tuesday. "Only
users that have installed 'flat' packed add-ons are at risk."
Her caveat may be a moot point for most Firefox users, however, since such
add-ons are legion. For example, a partial list posted on Bugzilla,
Mozilla's bug management database, runs to more than 600 Firefox extensions,
including YouTube-It and Foxmarks Bookmark Synchronizer. Snyder urged add-on
authors to update their extensions by packaging them as .jar (Java Archive)
files to make them immune to the vulnerability.
Alternately, Firefox users can install the popular NoScript extension to block
exploits, regardless of which add-ons have been installed.
» posted by abennett
Computerworld
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
