Mozilla ups Firefox bug threat, slates fix for Feb. 5
Add-on problem worse than thought; patched Version 22.214.171.124 coming next week
The company's head of security, Window Snyder, confirmed that the browser, when running any of more than 600 add-ons, can be exploited to steal "session information, including session cookies and session history."
Snyder's acknowledgment followed an update by Gerry Eisenhaur, the researcher who first reported the Firefox problem. "There seems to be some confusion about what exactly the severity of this vulnerability is," Eisenhaur said on his hiredhacker.com blog. "This is not a chrome privilege escalation, but it [is] worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session, [including] windows, tabs, cookies, etc."
Last week, when Eisenhaur broached the subject, Mozilla rated the threat as only "low," but began working on a patch. Yesterday, Snyder said a patch would be included with Firefox 126.96.36.199, a security update currently scheduled for a Feb. 5 release.
"Firefox is not vulnerable by default," Snyder added Tuesday. "Only users that have installed 'flat' packed add-ons are at risk."
Her caveat may be a moot point for most Firefox users, however, since such add-ons are legion. For example, a partial list posted on Bugzilla, Mozilla's bug management database, runs to more than 600 Firefox extensions, including YouTube-It and Foxmarks Bookmark Synchronizer. Snyder urged add-on authors to update their extensions by packaging them as .jar (Java Archive) files to make them immune to the vulnerability.
Alternately, Firefox users can install the popular NoScript extension to block exploits, regardless of which add-ons have been installed.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts