[ad]
It seems a data leakage bug has struck Firefox recently and has been confirmed by Window Snyder the security bod at Mozilla.
It’s basically a Chrome directory traversal bug (It seems a lot of the Firefox issues have had to do with chrome?).
It’s rated as low risk, but it can give away the existence of files (if the attacker knows the name and location).
The bug resides in Firefox’s chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.
Normally, Firefox’s chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user’s computer. The exploit only works if a user has made use of Firefox extensions that are “flat,” this is, those that don’t package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.
You can protect yourself by using NoScript, which I would guess most of you guys are using already.
The open bug can be found here.
Source: The Register
Adam says
Thanks for the info. that’s actually quite scary as Firefox is my default browser.
goodpeople says
Like you said.. low risk. No need to get paranoid over this one..
btw, those of you that wonder why my responses are kinda short lately, that’s because I broke my left wrist. Typing is somewhat difficult.
Keola says
Great information and thanks for the link on NoScript.
Nobody_Holme says
Ouch. Unlucky. Good luck with the wrist dude.
and ta darknet. must go make people i know get noscript going.
Pantagruel says
A minor hickup but a good thing you point us toward NoScript.
Good luck with the wrist goodpeople (plastered in or did you get some steel bolted on?)
mumble says
At least this is (1) an easy fix in the code and (2) in a product that uses auto-update. I figure my windows boxes will get the update when it is released (sometime this week).
@goodpeople
Don’t push too much until it heals. You get two at birth, and no replacements will be issued. Be sure to follow up on PT – you don’t want to have a gimpy wrist for an extended period of time. Good luck and get well soon.
goodpeople says
Thanks for the support guys. It really helps.
To answer some questions you all probably have, I fell while I was skating. It was my third time on skates, so I’m not that good yet.. :-)
Fortunately it is a clean break, so a bit of plaster for 5 weeks should do the trick. I am afraid that I will need some Physical Therapy as well, but I’ll live. Worst part is that I can’t get to work now. I cannot drive or ride the bycicle.. But I’ll get another kind of plaster next week that doesn’t require me to wear a sling all day…
Nobody_Holme says
Auto update, how i love thee.
Makes everyone’s life easier.
and i’m thinking no more skating for you for a couple of months. :P
goodpeople says
@Nobody_Holme,
Are you talking about mozilla’s auto-update feature or Windows update?
mumble says
@goodpeople
I was talking about the mozilla auto-update, which in recent verions is turned on by default. It lets them push out a fast patch for things like this.
Realistically, this can be fixed with only a few lines of code in one file – but it would probably be a good idea to audit the code looking for other path traversal flaws. Because of the limited scope of the data leakage, though, this isn’t the end of the world…..
goodpeople says
@mumble,
That’s okay. I also keep Mozilla’s auto update switched on. But I am a bit wary of Windows update. Even Linux is not allowed to do it’s own updates here. I want to see it first.
Nobody_Holme says
I was also talking about non-microsoft auto-updates. I’m not a fan of auto-installing brand new bugs and security flaws, i must say.
goodpeople says
@Nobody_Holme & mumble
Phew! for a second there you guys had me worried ;-)
Nobody_Holme says
I’m slightly depressed… I cant have bashed microsuck enough around here for you to notice how much i hate them. :P
Pantagruel says
@ Nobody_Holme
Rest assurred, there will be plenty of Windows wholes to bash ;)
eM3rC says
When comparing this to all of IE’s bugs I think of this as no big deal. And like Pantagruel said, welcome to the wonderful, yet buggy/vulnerable world of windows ;).
As for firefox addons what is everyone using?
I currently use:
Fasterfox
Ad Block Plus
Tamper Data
and Download status bar
Pantagruel says
@ eM3rc
All of the stuff you mentioned and some from the FireCat collection
Nobody_Holme says
Dont run download statusbar without noscript, methinks?
Pantagruel says
@Nobody_Holme
You’se right.
Block statusbar, noscript surely will.
eM3rC says
@Pantagruel
Could you recommend any cookie editors for firefox?
Pantagruel says
Take a look at Cookie Edit or Add N Edit Cookies.
You might also consider LiveHTTPHeaders if you want to get some realtime info on incoming header/file info
Pantagruel says
You also might want to check out Stompy http://www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/
for some superb session analysis (and cookie munging)
J. Lion says
is there an alternative to firefox besides IE?
eM3rC says
@J. Lion
I would stick with firefox because overall it seems to be the best browser. The next in line I would say is Opera, but firefox just released and update so no worries. In my opinion I would stick with firefox no matter what.