Firefox leaks info that's useful to attackers
Some browser add-ons let hackers do preattack reconnaissance
Computerworld - Mozilla's head of security yesterday confirmed a bug in Firefox that could be used by attackers to scout out a system prior to mounting a more thorough assault.
The flaw, said Window Snyder, Mozilla Corp.'s chief security officer, is in the browser's chrome protocol, she said in response to reports of the vulnerability and the public posting of a proof-of-concept exploit. "Chrome" is the Firefox term for its user interface.
Access to a user's machine would be through one of many Firefox extensions packaged in a flat file structure, rather than collected into a single Java archive, or .jar file, said Snyder. Several popular add-ons, including Download Statusbar and Greasemonkey, use a flat file structure. "Users are only at risk if they have one of the 'flat' packaged add-ons installed," Snyder said on the Mozilla security blog.
By leading users to a tricked-out Web page, criminals could sniff for information that might be useful in more aggressive attacks, Snyder acknowledged. "A visited attacking page is able to load images, scripts or style sheets from known locations on the disk," she said. "Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack."
Firefox developers are working on a patch, according to a thread on Bugzilla, Mozilla's bug-tracking and management site, but a fix has not yet been coded.
In the meantime, the authors of the two extensions that Snyder called out -- Download Statusbar and Greasemonkey -- have updated them so that they can't be exploited. "I just released a JARred version of Download Statusbar 0.9.5.3," said Devon Jensen on Bugzilla.
Although Snyder downplayed the threat posed by the bug, Gerry Eisenhauer, the researcher who uncovered the vulnerability, said there might be more to it. "This looks very interesting and may have bigger potential," he said Saturday in his original write-up. "But for now, it's just another information disclosure."
Read more about Security in Computerworld's Security Topic Center.
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!