Mozilla officials are investigating a new vulnerability in Firefox that could be exploited by attackers to steal files from a victim’s machine.
“Attackers may use this method to detect the presence of files, which may give an attacker information about which applications are installed,” Snyder wrote. “This information may be used to profile the system for a different kind of attack.”
She said individuals are only susceptible if they have downloaded “flat” add-ons, including Download Statusbar, which lets users track ongoing and completed downloads in the status bar, or Greasemonkey, which permits users to install scripts to make changes to webpages.
“Flat” add-ons do not store their contents in a JAR archive; therefore their contents could permit attackers to read random files on the hard drive, according to Mozilla.
But Jeremiah Grossman, chief technology officer of WhiteHat Security, told SCMagazineUS.com today that he considers the bug – which garnered a “less critical” rating from Secunia – to not be a serious problem, as few users are impacted.
“There have been lots of problems in that particular space that were really bad and did affect a lot of people,” he said. “Web browsers are complex things. Anytime you have more functionality, the greater opportunity you have for bugs to occur.”