Following Bevy Of Patches, The Firefox Browser Is Still Vulnerable
On Friday, Feb. 8, Mozilla released an updated version of its Firefox Web browser that aimed to fix 10 vulnerabilities. Now, at least one security researcher says flaws still remain.
February 11, 2008
On Friday, Feb. 8, Mozilla released an updated version of its Firefox Web browser that aimed to fix 10 vulnerabilities. Now, at least one security researcher says flaws still remain.The flaws updated on Friday included a nasty bunch, including fixing privilege escalation, cross site scripting vulnerabilities, and remote code execution, among many others.
Then, security researcher Ronald van den Heetkamp, just hours after the release of the updated browser, version 2.0.012, posted an advisory where he detailed a proof-of-concept that explains how the browser still remains at-risk.
The flaw in question, and which was purportedly patched, exists when users have enabled any of Firefox's existing 600 add-ons. When doing so, they become vulnerable, in security jargon, to a directory transversal attack.
In English, that means attackers can take advantage of poorly constructed validation of input file names. The end result is that attackers can gain access to computer files that aren't intended to be accessible by anyone but the user.
In this case, according to van den Heetkamp's analysis, attackers could access all of a user's Firefox preferences, or open "nearly every file stored in the Mozilla programs file directory."
Not good. And this is something that Mozilla needs to rectify quickly.
More information regarding Firefox security is available here, including details on the 10 patches issued on Friday.
For the remaining flaw, van den Heetkamp recommends using a different Web browser until a fix is published, or running a Firefox extension known as NoScript, which is available here.
About the Author
You May Also Like