Posted on 01/24/2008 8:13:34 AM PST by ShadowAce
Mozilla is working to fix a browser flaw that could give attackers unauthorized access to data on a victim's machine.
The problem is similar to other data leakage flaws found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on Saturday.
Eisenhaur has posted sample code that reads the contents of a Mozilla Thunderbird preferences file, but he believes that attackers could get access to more information with variations on his attack. "It's possible to load any JavaScript file on a victim's machine," he wrote in his blog posting. "This looks very interesting and may have bigger potential, but for now, it's just another information disclosure [flaw]."
"It could become something more if there was an application that stored sensitive data inside JavaScript files," he said via instant message. "Some plugins have been known to store usernames and passwords."
"Its also just a powerful way to do recon," he added.
Hackers have discovered a number of flaws in recent months that take advantage of the way that browsers pass information between different components within the Windows operating system. Some of these URI (Uniform Resource Identifier) protocol handler flaws have led to serious security problems for both Firefox and Internet Explorer.
This latest flaw affects only certain Firefox add-ons, such as the Download Statusbar or Greasemonkey, which store scripts in a fashion that lets them be discovered on the hard drive, said Window Snyder, Mozilla's security chief in a Wednesday blog posting.
Firefox is investigating the issue and has rated it as a low-severity problem, she said.
Imagine that.
I still like firefox over IE.
Great, just great.
“This latest flaw affects only certain Firefox add-ons, such as the Download Statusbar or Greasemonkey,”
i use firefox but not those add-ons, so no big deal, and besides, i am sure the mozilla community will close the hole soon
Time to get rid of my plugins, eh?
I use Greasemonkey just to filter out a certain troll here on FR.
Me neither. I dont use ANY add-ons from FF and I use it over IE everytime.
I hate those search bar add-ons like that as a general rule.
It is amazing how fast pages load without the ads.
Thnks for the advice. Ill try that.
I run firefox in safe mode: no add-ons and less memory usage.
With the tech economy doing pretty well, the “volunteers” these open source products needs aren’t so available.
I'm not giving up my FRTrollBlocker Greasemonkey script!
Sounds to me like this attack could give up my list of trolls.
I also use the "noscript" extension, though it is sometimes a PITA, so that helps a bit as well.
Is Thunderbird the FF mail program? I'm still using Eudora but was going to change to TB when I get my new iMac...
Thunderbird is a separate mail program, also produced by Mozilla.
I think I just had a greasemonkey update yesterday, and a noscript today.
I guess those Chinese slaves used to write open source are busy. ;-)
Thanks for the script btw, Its been off for a month but ort seems to be back..
Mozilla has a paid staff as does RedHat and IBM who work on OSS projects..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.