Mozilla ups Firefox bug threat, slates fix for Feb. 5

Add-on problem worse than thought; patched Version coming next week

Mozilla bumped up the threat ranking for an unpatched Firefox bug to "high" Tuesday, but promised a fix is coming in Version, now slated for release on February 5.

The company's head of security, Window Snyder, confirmed that the browser, when running any of more than 600 add-ons, can be exploited to steal "session information, including session cookies and session history."

Snyder's acknowledgment followed an update by Gerry Eisenhaur, the researcher who first reported the Firefox problem. "There seems to be some confusion about what exactly the severity of this vulnerability is," Eisenhaur said on his blog. "This is not a chrome privilege escalation, but it [is] worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session, [including] windows, tabs, cookies, etc."

Last week, when Eisenhaur broached the subject, Mozilla rated the threat as only "low," but began working on a patch. Yesterday, Snyder said a patch would be included with Firefox, a security update currently scheduled for a Feb. 5 release.

"Firefox is not vulnerable by default," Snyder added Tuesday. "Only users that have installed 'flat' packed add-ons are at risk."

Her caveat may be a moot point for most Firefox users, however, since such add-ons are legion. For example, a partial list posted on Bugzilla, Mozilla's bug management database, runs to more than 600 Firefox extensions, including YouTube-It and Foxmarks Bookmark Synchronizer. Snyder urged add-on authors to update their extensions by packaging them as .jar (Java Archive) files to make them immune to the vulnerability.

Alternately, Firefox users can install the popular NoScript extension to block exploits, regardless of which add-ons have been installed.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Most Popular Reviews

Deals on PC World

Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?