Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

New Firefox flaw deemed low-risk threat

Mozilla officials are investigating a new vulnerability in Firefox that could be exploited by attackers to steal files from a victim's machine.

Window Snyder, security chief for Firefox, said on her blog Tuesday that the flaw is located in the chrome protocol handler, which controls the various widgets on a browser.

The vulnerability, discovered by researcher Gerry Eisenhaur, could allow attackers to load malicious JavaScript onto a victim's PC by luring them to a hacked website, she said.

“Attackers may use this method to detect the presence of files, which may give an attacker information about which applications are installed,” Snyder wrote. “This information may be used to profile the system for a different kind of attack.”

She said individuals are only susceptible if they have downloaded “flat” add-ons, including Download Statusbar, which lets users track ongoing and completed downloads in the status bar, or Greasemonkey, which permits users to install scripts to make changes to webpages.

“Flat” add-ons do not store their contents in a JAR archive; therefore their contents could permit attackers to read random files on the hard drive, according to Mozilla.

But Jeremiah Grossman, chief technology officer of WhiteHat Security, told SCMagazineUS.com today that he considers the bug – which garnered a “less critical” rating from Secunia – to not be a serious problem, as few users are impacted.

However, a number of more severe vulnerabilities affecting URI protocol handlers have recently popped up, affecting Firefox and Internet Explorer browsers, Grossman said.

“There have been lots of problems in that particular space that were really bad and did affect a lot of people,” he said. “Web browsers are complex things. Anytime you have more functionality, the greater opportunity you have for bugs to occur.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.