Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:57 PM
George V. Hulme
George V. Hulme

Following Bevy Of Patches, The Firefox Browser Is Still Vulnerable

On Friday, Feb. 8, Mozilla released an updated version of its Firefox Web browser that aimed to fix 10 vulnerabilities. Now, at least one security researcher says flaws still remain.

On Friday, Feb. 8, Mozilla released an updated version of its Firefox Web browser that aimed to fix 10 vulnerabilities. Now, at least one security researcher says flaws still remain.The flaws updated on Friday included a nasty bunch, including fixing privilege escalation, cross site scripting vulnerabilities, and remote code execution, among many others.

Then, security researcher Ronald van den Heetkamp, just hours after the release of the updated browser, version 2.0.012, posted an advisory where he detailed a proof-of-concept that explains how the browser still remains at-risk.

The flaw in question, and which was purportedly patched, exists when users have enabled any of Firefox's existing 600 add-ons. When doing so, they become vulnerable, in security jargon, to a directory transversal attack.

In English, that means attackers can take advantage of poorly constructed validation of input file names. The end result is that attackers can gain access to computer files that aren't intended to be accessible by anyone but the user.

In this case, according to van den Heetkamp's analysis, attackers could access all of a user's Firefox preferences, or open "nearly every file stored in the Mozilla programs file directory."

Not good. And this is something that Mozilla needs to rectify quickly.

More information regarding Firefox security is available here, including details on the 10 patches issued on Friday.

For the remaining flaw, van den Heetkamp recommends using a different Web browser until a fix is published, or running a Firefox extension known as NoScript, which is available here.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...