Mozilla ups Firefox bug threat, slates fix for Feb. 5
Add-on problem worse than thought; patched Version 188.8.131.52 coming next week
The company's head of security, Window Snyder, confirmed that the browser, when running any of more than 600 add-ons, can be exploited to steal "session information, including session cookies and session history."
Snyder's acknowledgment followed an update by Gerry Eisenhaur, the researcher who first reported the Firefox problem. "There seems to be some confusion about what exactly the severity of this vulnerability is," Eisenhaur said on his hiredhacker.com blog. "This is not a chrome privilege escalation, but it [is] worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session, [including] windows, tabs, cookies, etc."
Last week, when Eisenhaur broached the subject, Mozilla rated the threat as only "low," but began working on a patch. Yesterday, Snyder said a patch would be included with Firefox 184.108.40.206, a security update currently scheduled for a Feb. 5 release.
"Firefox is not vulnerable by default," Snyder added Tuesday. "Only users that have installed 'flat' packed add-ons are at risk."
Her caveat may be a moot point for most Firefox users, however, since such add-ons are legion. For example, a partial list posted on Bugzilla, Mozilla's bug management database, runs to more than 600 Firefox extensions, including YouTube-It and Foxmarks Bookmark Synchronizer. Snyder urged add-on authors to update their extensions by packaging them as .jar (Java Archive) files to make them immune to the vulnerability.
Alternately, Firefox users can install the popular NoScript extension to block exploits, regardless of which add-ons have been installed.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!