On Friday, Feb. 8, Mozilla released an updated version of its Firefox Web browser that aimed to fix 10 vulnerabilities. Now, at least one security researcher says flaws still remain.
February 11, 2008
On Friday, Feb. 8, Mozilla released an updated version of its Firefox Web browser that aimed to fix 10 vulnerabilities. Now, at least one security researcher says flaws still remain.The flaws updated on Friday included a nasty bunch, including fixing privilege escalation, cross site scripting vulnerabilities, and remote code execution, among many others.
Then, security researcher Ronald van den Heetkamp, just hours after the release of the updated browser, version 2.0.012, posted an advisory where he detailed a proof-of-concept that explains how the browser still remains at-risk.
The flaw in question, and which was purportedly patched, exists when users have enabled any of Firefox's existing 600 add-ons. When doing so, they become vulnerable, in security jargon, to a directory transversal attack.
In English, that means attackers can take advantage of poorly constructed validation of input file names. The end result is that attackers can gain access to computer files that aren't intended to be accessible by anyone but the user.
In this case, according to van den Heetkamp's analysis, attackers could access all of a user's Firefox preferences, or open "nearly every file stored in the Mozilla programs file directory."
Not good. And this is something that Mozilla needs to rectify quickly.
More information regarding Firefox security is available here, including details on the 10 patches issued on Friday.
For the remaining flaw, van den Heetkamp recommends using a different Web browser until a fix is published, or running a Firefox extension known as NoScript, which is available here.
About the Author(s)
You May Also Like
Defending Against Today's Threat Landscape with MDR
April 18, 2024The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024