On Tuesday, however, Window Snyder, Mozilla's security chief, said on her blog that Mozilla was raising the severity level to “high.” She admitted that hundreds of “flat” plug-ins are at risk. “Flat” add-ons do not store their contents in a JAR archive; therefore, their contents could permit attackers to read random files on the hard drive, according to Mozilla.
“The reason Mozilla bumped this up to high is because I released a PoC [proof of concept] that reads the sessionstore.js file,” Eisenhaur told SCMagazine.com Wednesday via instant messenger. “That exposes the user's current session [windows, history, cookies, etc.] to an attacker.”
He said the sessionstore.js file records open windows and users' histories and cookies.
“I think they didn't realize what data could be stolen, which is why I released the second demo,” Eisenhaur said.
While the issue reportedly was resolved today, Mozilla is not planning to push out a new version of Firefox, v. 184.108.40.206, which will contain the fix, until Tuesday.
But Eisenhaur said he thinks the patch may be flawed.
“I just read through it and I think I can still exploit the attack,” he said. “I am waiting for it to build now so I can verify.”