Mozilla to fix 9-month-old Firefox bug as concerns grow

Flaw found in February, but ignored until it was deployed in Gmail hack

Mozilla will patch Firefox against a nine-month-old protocol handler bug, its chief security executive announced Friday, after researchers demonstrated that the vulnerability was more serious than first thought.

The bug is another uniform resource identifier (URI) protocol handler flaw, and the news of an impending fix comes on the heels of Microsoft patching Windows to repair problems in the handlers it registers. Protocol handlers -- "mailto:" is among the most familiar -- let browsers launch other programs such as an e-mail client through commands embedded in a URL.

But Firefox's jar: protocol handler (the ".jar" extension stands for Java ARchive, a Zip-style compression format) does not check that the files it calls are really in that format. Attackers can exploit the flaw by uploading any content -- malicious code, for example, or a malformed Office document -- to a Web site, then entice users to that site and its content with a link that includes the jar: protocol. Because the content executes in the security context of the hosting site, if that site (e.g., a commercial photo-sharing service) is trusted, then the malicious code runs as trusted within the browser, too.

This cross-site scripting vulnerability was discovered in February by Jesse Ruderman, and reported to Mozilla's Bugzilla database early that month. But not until after other researchers picked up the scent this month did Mozilla roll into action.

A week and a half ago, Petko Petkov, a prolific researcher based in the U.K., noted that any application that allows uploading of jar or Zip files is vulnerable to cross-site scripting attacks. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document-sharing systems, almost everything that smells like Web 2.0," Petkov said in a Nov. 7 post.

Three days later, a researcher known as Beford cranked out a proof-of-concept exploit that paired the jar: vulnerability with an open redirect bug in Google's Gmail, and showed how they let him access another user's contacts. Like Petkov, Beford said the bug was a serious problem. "I think it's a big issue, and the fact that it has been on Bugzilla for way more than 10 days is not a good thing." Beford's mention of 10 days was a reference to a comment made last summer by Mozilla's Mike Shaver, director of ecosystem development, that Mozilla fixed flaws within that time.

Window Snyder, head of security strategy at Mozilla, noted that the jar: protocol handler bug was, in fact, two slightly different vulnerabilities, and that the company was tracking them as such. "There is a second issue that if a zip [jar] archive is loaded from a site through a redirect, Firefox uses the context from the initiating site," she said. "This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site." According to Mozilla's bug-management database, this second issue -- Beford's variant -- is considered the more dangerous of the pair; Bugzilla lists it severity as "major," compared with "normal" for the original cross-site scripting vulnerability uncovered in February by Ruderman.

Both bugs will be patched soon. "This will be addressed in Firefox 2.0.0.10, which is currently in testing," Snyder said in a Friday entry on Mozilla's security blog.

Until Mozilla patches the browser, users can block jar:-based cross-site scripting attacks with the newest version of NoScript, a plug-in created by Italian developer Giorgio Maone, and one that regularly ranks among the most popular Firefox extensions. "NoScript will prevent remote JAR resources from being loaded as documents, neutralizing the XSS [cross-site scripting] dangers of the jar: protocol while keeping its functionality," said Maone on his personal blog last week.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?