Mozilla to fix 9-month-old Firefox bug as concerns grow

Flaw found in February, but ignored until it was deployed in Gmail hack

Mozilla will patch Firefox against a nine-month-old protocol handler bug, its chief security executive announced Friday, after researchers demonstrated that the vulnerability was more serious than first thought.

The bug is another uniform resource identifier (URI) protocol handler flaw, and the news of an impending fix comes on the heels of Microsoft patching Windows to repair problems in the handlers it registers. Protocol handlers -- "mailto:" is among the most familiar -- let browsers launch other programs such as an e-mail client through commands embedded in a URL.

But Firefox's jar: protocol handler (the ".jar" extension stands for Java ARchive, a Zip-style compression format) does not check that the files it calls are really in that format. Attackers can exploit the flaw by uploading any content -- malicious code, for example, or a malformed Office document -- to a Web site, then entice users to that site and its content with a link that includes the jar: protocol. Because the content executes in the security context of the hosting site, if that site (e.g., a commercial photo-sharing service) is trusted, then the malicious code runs as trusted within the browser, too.

This cross-site scripting vulnerability was discovered in February by Jesse Ruderman, and reported to Mozilla's Bugzilla database early that month. But not until after other researchers picked up the scent this month did Mozilla roll into action.

A week and a half ago, Petko Petkov, a prolific researcher based in the U.K., noted that any application that allows uploading of jar or Zip files is vulnerable to cross-site scripting attacks. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document-sharing systems, almost everything that smells like Web 2.0," Petkov said in a Nov. 7 post.

Three days later, a researcher known as Beford cranked out a proof-of-concept exploit that paired the jar: vulnerability with an open redirect bug in Google's Gmail, and showed how they let him access another user's contacts. Like Petkov, Beford said the bug was a serious problem. "I think it's a big issue, and the fact that it has been on Bugzilla for way more than 10 days is not a good thing." Beford's mention of 10 days was a reference to a comment made last summer by Mozilla's Mike Shaver, director of ecosystem development, that Mozilla fixed flaws within that time.

Window Snyder, head of security strategy at Mozilla, noted that the jar: protocol handler bug was, in fact, two slightly different vulnerabilities, and that the company was tracking them as such. "There is a second issue that if a zip [jar] archive is loaded from a site through a redirect, Firefox uses the context from the initiating site," she said. "This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site." According to Mozilla's bug-management database, this second issue -- Beford's variant -- is considered the more dangerous of the pair; Bugzilla lists it severity as "major," compared with "normal" for the original cross-site scripting vulnerability uncovered in February by Ruderman.

Both bugs will be patched soon. "This will be addressed in Firefox 2.0.0.10, which is currently in testing," Snyder said in a Friday entry on Mozilla's security blog.

Until Mozilla patches the browser, users can block jar:-based cross-site scripting attacks with the newest version of NoScript, a plug-in created by Italian developer Giorgio Maone, and one that regularly ranks among the most popular Firefox extensions. "NoScript will prevent remote JAR resources from being loaded as documents, neutralizing the XSS [cross-site scripting] dangers of the jar: protocol while keeping its functionality," said Maone on his personal blog last week.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?