Mozilla to fix 9-month-old Firefox bug as concerns grow

Flaw found in February, but ignored until it was deployed in Gmail hack

Mozilla will patch Firefox against a nine-month-old protocol handler bug, its chief security executive announced Friday, after researchers demonstrated that the vulnerability was more serious than first thought.

The bug is another uniform resource identifier (URI) protocol handler flaw, and the news of an impending fix comes on the heels of Microsoft patching Windows to repair problems in the handlers it registers. Protocol handlers -- "mailto:" is among the most familiar -- let browsers launch other programs such as an e-mail client through commands embedded in a URL.

But Firefox's jar: protocol handler (the ".jar" extension stands for Java ARchive, a Zip-style compression format) does not check that the files it calls are really in that format. Attackers can exploit the flaw by uploading any content -- malicious code, for example, or a malformed Office document -- to a Web site, then entice users to that site and its content with a link that includes the jar: protocol. Because the content executes in the security context of the hosting site, if that site (e.g., a commercial photo-sharing service) is trusted, then the malicious code runs as trusted within the browser, too.

This cross-site scripting vulnerability was discovered in February by Jesse Ruderman, and reported to Mozilla's Bugzilla database early that month. But not until after other researchers picked up the scent this month did Mozilla roll into action.

A week and a half ago, Petko Petkov, a prolific researcher based in the U.K., noted that any application that allows uploading of jar or Zip files is vulnerable to cross-site scripting attacks. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document-sharing systems, almost everything that smells like Web 2.0," Petkov said in a Nov. 7 post.

Three days later, a researcher known as Beford cranked out a proof-of-concept exploit that paired the jar: vulnerability with an open redirect bug in Google's Gmail, and showed how they let him access another user's contacts. Like Petkov, Beford said the bug was a serious problem. "I think it's a big issue, and the fact that it has been on Bugzilla for way more than 10 days is not a good thing." Beford's mention of 10 days was a reference to a comment made last summer by Mozilla's Mike Shaver, director of ecosystem development, that Mozilla fixed flaws within that time.

Window Snyder, head of security strategy at Mozilla, noted that the jar: protocol handler bug was, in fact, two slightly different vulnerabilities, and that the company was tracking them as such. "There is a second issue that if a zip [jar] archive is loaded from a site through a redirect, Firefox uses the context from the initiating site," she said. "This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site." According to Mozilla's bug-management database, this second issue -- Beford's variant -- is considered the more dangerous of the pair; Bugzilla lists it severity as "major," compared with "normal" for the original cross-site scripting vulnerability uncovered in February by Ruderman.

Both bugs will be patched soon. "This will be addressed in Firefox 2.0.0.10, which is currently in testing," Snyder said in a Friday entry on Mozilla's security blog.

Until Mozilla patches the browser, users can block jar:-based cross-site scripting attacks with the newest version of NoScript, a plug-in created by Italian developer Giorgio Maone, and one that regularly ranks among the most popular Firefox extensions. "NoScript will prevent remote JAR resources from being loaded as documents, neutralizing the XSS [cross-site scripting] dangers of the jar: protocol while keeping its functionality," said Maone on his personal blog last week.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?