Mozilla to fix 9-month-old Firefox bug as concerns grow

Flaw found in February, but ignored until it was deployed in Gmail hack

Mozilla will patch Firefox against a nine-month-old protocol handler bug, its chief security executive announced Friday, after researchers demonstrated that the vulnerability was more serious than first thought.

The bug is another uniform resource identifier (URI) protocol handler flaw, and the news of an impending fix comes on the heels of Microsoft patching Windows to repair problems in the handlers it registers. Protocol handlers -- "mailto:" is among the most familiar -- let browsers launch other programs such as an e-mail client through commands embedded in a URL.

But Firefox's jar: protocol handler (the ".jar" extension stands for Java ARchive, a Zip-style compression format) does not check that the files it calls are really in that format. Attackers can exploit the flaw by uploading any content -- malicious code, for example, or a malformed Office document -- to a Web site, then entice users to that site and its content with a link that includes the jar: protocol. Because the content executes in the security context of the hosting site, if that site (e.g., a commercial photo-sharing service) is trusted, then the malicious code runs as trusted within the browser, too.

This cross-site scripting vulnerability was discovered in February by Jesse Ruderman, and reported to Mozilla's Bugzilla database early that month. But not until after other researchers picked up the scent this month did Mozilla roll into action.

A week and a half ago, Petko Petkov, a prolific researcher based in the U.K., noted that any application that allows uploading of jar or Zip files is vulnerable to cross-site scripting attacks. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document-sharing systems, almost everything that smells like Web 2.0," Petkov said in a Nov. 7 post.

Three days later, a researcher known as Beford cranked out a proof-of-concept exploit that paired the jar: vulnerability with an open redirect bug in Google's Gmail, and showed how they let him access another user's contacts. Like Petkov, Beford said the bug was a serious problem. "I think it's a big issue, and the fact that it has been on Bugzilla for way more than 10 days is not a good thing." Beford's mention of 10 days was a reference to a comment made last summer by Mozilla's Mike Shaver, director of ecosystem development, that Mozilla fixed flaws within that time.

Window Snyder, head of security strategy at Mozilla, noted that the jar: protocol handler bug was, in fact, two slightly different vulnerabilities, and that the company was tracking them as such. "There is a second issue that if a zip [jar] archive is loaded from a site through a redirect, Firefox uses the context from the initiating site," she said. "This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site." According to Mozilla's bug-management database, this second issue -- Beford's variant -- is considered the more dangerous of the pair; Bugzilla lists it severity as "major," compared with "normal" for the original cross-site scripting vulnerability uncovered in February by Ruderman.

Both bugs will be patched soon. "This will be addressed in Firefox 2.0.0.10, which is currently in testing," Snyder said in a Friday entry on Mozilla's security blog.

Until Mozilla patches the browser, users can block jar:-based cross-site scripting attacks with the newest version of NoScript, a plug-in created by Italian developer Giorgio Maone, and one that regularly ranks among the most popular Firefox extensions. "NoScript will prevent remote JAR resources from being loaded as documents, neutralizing the XSS [cross-site scripting] dangers of the jar: protocol while keeping its functionality," said Maone on his personal blog last week.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest News Articles

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?