May 8, 2 p.m. ET
Your prospects are sourcing new services at an ever increasing rate, which gives you the opportunity to stand out! In order to seize this opportunity, you need compelling IT services that support core business needs, are high value, drive profits and are cost effective to deliver. Join this eSeminar and learn how to structure and manage services to expand your customer base. Register now, attend live or view
on-demand!
Mozilla chief evangelist Mike Shaver says the latest Firefox information leakage bug warning is exaggerated.
Published reports of an information leakage vulnerability affecting fully patched versions of the open-source Firefox browser have been greatly exaggerated, according to Mozilla chief evangelist Mike Shaver.
Shaver's sharp retort follows the release of an advisory by hacker Ronald van den Heetkamp claiming that the most recent Firefox 2.0.0.12 is susceptible to a bug that allows hackers to view sensitive information on a target machine.
Information leakage can be used for reconnaissance in targeted attacks and typically rated as a "low risk" flaw, but Shaver said van den Heetkamp is "simply mistaken" about the vulnerability claim.
"The files to which Ronald demonstrates access do not have the user's settings, though he claims otherwise. Those files (the user's data) are not stored in the Program Files hierarchy on Windows, or the equivalent on other operating systems," Shaver said in a blog entry. "Instead, the preference files that he is showing in his 'exploit' are ones that are defaults that are shipped with Firefox, and made freely available on the Web. Again, these are not user settings, but defaults that are shipped with all copies of Firefox and contain no personal information.”
Van den Heetkamp's original alert, which has gained significant media distribution, warned that the alleged flaw can be used to trick Firefox into traversing directories.
"I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins," he said, noting that the bug exists in the "view-source:" scheme.
On Feb. 7, Mozilla shipped a major Firefox refresh to patch at least a dozen flaws that could lead to identity theft, cross-site scripting and remote code execution attacks.
Four of the vulnerabilities are rated "critical" while three carry "high risk" severity warnings.
The open-source group warned that Thunderbird, which shares the browser engine with Firefox, is vulnerable to one of the critical vulnerabilities.
Test drive and take home three new products!
Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server® 2008, Microsoft® SQL Server® 2008, and Microsoft Visual Studio® 2008. Register today!>>
Tech-Ed 2008 Microsoft’s premier technical education conference for developers and IT professionals.
June 3-6 & 10-13 | Orlando, FL Register today!
Sponsored by Ziff Davis Enterprise Group
DOWNLOADABLE ROI CALCULATORS & TOOLS FROM BASELINE
Calculate Cost and ROI of Spam, VOIP, RFID, Sarbanes-Oxley and more...
/ 3 
