Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Mozilla Dismisses New Firefox Flaw Warning



 By: Ryan Naraine
2008-02-11
Article Rating:starstarstarstarstar / 3


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Mozilla chief evangelist Mike Shaver says the latest Firefox information leakage bug warning is exaggerated.

Published reports of an information leakage vulnerability affecting fully patched versions of the open-source Firefox browser have been greatly exaggerated, according to Mozilla chief evangelist Mike Shaver.

Shaver's sharp retort follows the release of an advisory by hacker Ronald van den Heetkamp claiming that the most recent Firefox 2.0.0.12 is susceptible to a bug that allows hackers to view sensitive information on a target machine.

Information leakage can be used for reconnaissance in targeted attacks and typically rated as a "low risk" flaw, but Shaver said van den Heetkamp is "simply mistaken" about the vulnerability claim.

"The files to which Ronald demonstrates access do not have the user's settings, though he claims otherwise. Those files (the user's data) are not stored in the Program Files hierarchy on Windows, or the equivalent on other operating systems," Shaver said in a blog entry. "Instead, the preference files that he is showing in his 'exploit' are ones that are defaults that are shipped with Firefox, and made freely available on the Web. Again, these are not user settings, but defaults that are shipped with all copies of Firefox and contain no personal information.

Van den Heetkamp's original alert, which has gained significant media distribution, warned that the alleged flaw can be used to trick Firefox into traversing directories.

"I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins," he said, noting that the bug exists in the "view-source:" scheme.

On Feb. 7,  Mozilla shipped a major Firefox refresh to patch at least a dozen flaws that could lead to identity theft, cross-site scripting and remote code execution attacks. 

Resource Library:

Four of the vulnerabilities are rated "critical" while three carry "high risk" severity warnings.

The open-source group warned that Thunderbird, which shares the browser engine with Firefox, is vulnerable to one of the critical vulnerabilities.





  Reader Comments: Mozilla Dismisses New Firefox Flaw Warning
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xr㶲0;; ʷ♵MR-b[^f&uT I)|IzgyoP/gq2Kht7F;?;;~$rɅklJv9;D;;}!ԇ}oQPo2t}R  tӌ5v:! M>>;| `OS;SMuɄZIКؕ>}~qlv .pvLQmxuGѦ%xu)t(DHږyH6EGJ;ߣ"C7 ݩHr6RV2X^DP~FDM:玗-4rwA5yЀk`Vxx@kNmW ,ȓڭAx)B(!bB]߂KCI%߼q@ؓ&thmu|'b#Q^]õ]&ZΡR͌eCwt=PzOMҳBCLH6}~8IZQO .m4ZIbOl+qtRA'ס,lO`e[پxwgy@fnbt KJ&ԃ C(p}=\'t(`_dY7;Ͱ-P6CMTjR?t~Ucm9 2+[Ѿ޹RU5MQ/z a|`h-vu]+i0n{'y@α{A~A~7" DT*jZ*ND@aBjLq9 uz P%oFe_P+)H.C#M-Lc|+H0CВF^8riOgSK߾ڤ>>;O|bPk5Mz"1h gxg4X.:nNOn/9n:'ݛ9^qŝN4Aq3 j__[z\= mx6~l M u ôW+ZᇓqULBusL ,ߔeBuֿ8'} ,-)TtܿG)L,Y`M`Imdʱ(rN9AcI>o:`K7B) u$u(5>Hr Q@a)#p?݇EpJq䨉k>ش 6,%iJyO{f4啋"}Yt"F)N}W%M 1F|r'̤"`Q%M 'LLl8Oyp1rY[T'jdamA՘i3ӟgxeޡ:it>!e.ڽ^c8^$glh|*0']ez|cZ7WZu?QßV@r }U9-b(WZdL41,{Lt차ϳp:@!0h v?SӧԴfPwTjh|N჎(>&ʋCQsiYnL,@sՇtw@>;O޺|N ufo/AbC ZSx*z$tm~5A%ǎ@ Lu'09 ɝ5EP%ݻCiy1=զA{Tfgg,zu}   l߃5#閭-T<ħ̠>xԁ!~~9.b&A"# DEMi@$P!$-4`r.= łP=zZ)JPlzb .z2H(A10ѿYY"bOYW KK+UƜWQY'e)5WXc] 6_2C+L)ESr6!w'NыE;vU"kBZ^|t {9JeO{0sm-VJ{",6@L++ۚWèKA* _hi ݬsiɴCu6б|{:Hi~Zxuj,j\'M;,?&TYV0>2ai[F֮ohCMۯr'`ܲM()eu*dʫ?v=@kRDz{fl>q/LlxAJmכA sOЬ,pZW%K=CkaAa ŵaaK:pJo,]qY3/l*{=eWlIsWk4GuM8`݊:jkD {Lt< ZȲi@X*uouj1ՃUk;+P  ӸcsMD@{nv2T˧6Wȵm>3hΕG< bj\X,~)©5r6|jj0AB̋Wũ(j^;< 1 ­rMilwPq`*1j3x:uv*_;$!U7wIQ)kMv"9M1ǁ^gE[# F:07f/|P"8 y@*&Oz~  b h bNzqSE+nA `aIua3:x"RB3=?72[!* "~`Gt&R_aYjQx]*(S,i0ȁ;\Eo|/Ne6Z/Pz;̮[KGf~gVOl^NavQ#O%p2HU>Z}`/g8PȺ]0uESUG;[+ܞ?FM6B4!$Ծ X x@7*(SӞͥj\Z&JN.xZVGk'4E H{I-~ȮO9-bVa:xznqey@\=0p)?FCS؇`m/ RۯTʞuN (덿9 NGV32A1"C9OF\q v´Iqr?yxn |:Ri{ތ9"zfnހWIJ)LwV0_/qi}g^L\ռ*W217YzӏΦbDsЈRͳq8O,h_PpjEiߺB7ex^xPyu/OiSLFd*T~!\3fzg]a+sl4O?{JTkݿy Wn9zgGq;YqLwASB9^- (ɹ&OBVNZoie|P._[>9lu'ܫ rõn7f" ۝XߋvJ85)zS(j :H$Ut,,#?Sq:gUU{My UfL,+Cj^[>51tY e&lDOXyc_7)~l$\EC>km{~BKe U'7-RV%%^ͳ!ݓhm90B[0qVR3ڟ=^"@N|K!ZOTKthrGSYI {_L C/$h@^!1NeA=zMMh;o]@,cf~}8<-ojM&lԆuXztS6neUkVR$gI@#c8=.]ţ%^h2)n&)ۙjJ-/$x5H;O5p[@7@|P4H jY 5`ZV-~#0Lƈ QHZ#OdY.eժR+@o8L3AI j;!c8`<"MMXhG?=ar0q7(-E49IkL2x0O /V*UYqALoxqNL^\}ۅ^?hueajcE6kJ~Zg^p 4(+?vHIcЧ˾tں9?&,{:;At; {Hڝg8D ^x;Yh\.LC~:'!]/.OEc_[qr`U=H3 r!Cc$;Ĥ}vjt.?J׼mv>G 72w4H4rEcR|{޽y-{wD's9B 2H,O!zۭfS k3d8)1/xdqH/=‴),{}ҾĂ>sn՜4"zsMN3"nX qr ;cgI9¾UXHy`&|C,($S;0r(`$؏*Xe2ӻ:o}okgen/ m D78%S*PW<2EHiA%N' >9hDu~mGlr~#<B<Mp<"mX{pJq+g=#$GeS`Ӄ_s; ѫdi!Qr7[%(E٦@7db&ubJT=Kz {r=1QLw)݃t( e~=m12tC%<2KL)gdJD$ =)!jڊI4g<8J542 eI? U4㓄PV YWɂZ#5=۴< /.\|ܺmDrF]=`l+HZQ"A|J| 9nG e!>RဏQFhEw 鳁Ѫ}+ ŏXMG81 å=`L:M\gOhNPD(PQEĵTrcczZt vUdaDr)IH,';-!']ry}MZ_g QW{$S tD#(Zw{.JeFd>IАYc=ty9!-tL^:͆2ߓ̆{JǻkA]iNw74w6OUFy XJ~Ol'Mt:DjE[cgwC9Ȫ̙S.{R؉o'w3^q,&n_%3ތ,4/LZ2g;9;G׍[sg#F0[vƹEtcϺ4v7 ]ekw}B!u\6Km܊ȥ9s\ 5"nx*Z$|>Okd" h6vo"D`"sME[<ק{cgj7X#SOR1\jFc|Wygld_aзZ+3)$ƙa dOC%Feuw#cgcc3/F%xg(6-l@|Pp/h(0iancZp8|#؈f/'Ɏ?7euz s2i p௹;o_lXR| \A՞݊|oFEAa˸.hE%ödN. 2Zl2d]{>RUX(˻b{ޣ e v1HTKhTNnm>*}=L-v-R F42|w2( v=b.zˮ{Jn9_)w.TEgoݹEN1B 9aWa3vdw6.gx]\7c_9TWfX=N7ژtqAkH H;njGÝ<;/VAl)ZPp7V hlvwRF lœW gwZxL1|!;2G ,ZD<1t`A$Mj-ŨsvDa? :2lbtw[H&5M\`[*i{53>#8kg:&%Xv9 HN~lOӚ8.,23K:pW)gOj8\K3(nvť[<$=W V9a6TJ0i"VIcHHi‚."MJJ<^&RsF#oy'qyׇa4u".z8 YX, /87֔xJjr_~v_tϨc&Pj3dH!q|(6o4eU)YR/j *s7>l *&5P шrV™Sr [%3QGaE w˶uԂTJG4rMB,Hx+'# |T4Uۊv.=Y.pIX%h$OCL0a "_> iJ.-LEHz*bO2w;aIU%U{ZCKfYIGYWVR$vOxrSj; {ϼCLPh bSa4?m_;ıBO!9^۟;~:Q7Z-;]8Ԗn&MszG}09_HW8D*JE[Ax7JDaeN(a<\$Sf y4(Xm4 iL" iK5s3USKs$I; WlMj(/=`VAx#GjmJoH/f^D>w ]HAeG߽w@KX1aRW,a@/x#TsM 'Mcp|({JQ(.aUH aUn54W3/w9}-Mz]n ,}6>H]~\@bIT'X/EIq77-D]F]-޸+[3t( h -YU/σQG[{eR+c-« 6!2߲A5$~m\|&4,AK`=pX#<܀sw嚆;#@Q1gS#x4-ܼ6OVf3 ua$:?f]Ğ7\SWb/3pa7M R#w,;F= _ÚVM A X;x׶{lR O)cXIZ4gV꒨.I}{Ӻx<\_k[VmMރ]|̑w7}۟~u4JAm Aȼ#KԬD5VfX(j%"Q0M?+┱fai93EH5Pk".F )ztM;G{!4 sZ;3V .K{~i =|/[t@E@Cd=I?Ι5g&1[L,Ù@t}sQtьzr2[ﲣ;nR GֲUFʼnܳEHQEn){Z}OlmW+H6,u+ ٳFe!cC{-1~R@Dn8. 2â?$Lc0{T73T4k`꤯L76Jw3L=/K&Qh#J;* 5kк~ME8/XdR(@AH5Ź;Pxʛt$/ݱ-D=?fOa|#~U1#GZ-G!s^b+\̐5XÈȡ͏yTG`*׶/NgDǹp`o'0m+`I#샒=%x;= ,Qx8'Dw$+?Ñ:/)͗gFXVb֪ZOxǍY(> l?QX2\{]@FPxI텡G6ǜMEfID ET9=J;國R098^gYJ6 z~b= aRAN5=0S5?c\UBI ዶkZK>Am?)Fmz^C`5)vX5ĞXZںUrZ+)~ly 5Jr5j0ںs̼[rCjLEGLf9Hu-8}y 8b_f~OR!kgEl>@4`}*fZ$z3{TϡVR*jZ?";М }}yj]SjZZd#QWN5v\Xc<+xϗ>ϙ,QkOu,ζy9f䕊V.իu(Uqa=/8voM),+G *&|t|G!_9bgb>9m^aηvg^:(]N B8" 0s{EMF^[OxׁENgNtMN}NT톫$õ6nOt@E$>+G^o.9gF.F{N|oy\d3-nVTm}yV9F bx+}$g;  #RF̯R߇q>U7Xw_S=@![O.&ew+.obF).m2욶Bsd5k)+bL!Lj"xxbj bFfɝ`g:]۽G!VWvru ZSaߕg߉t[6 f0db8#:&zyMLSt#?+){ڞUޓΞ<q48~m@1"6 ?JiOe~t:;͆S+8 g)un9r:jeOLg>򳉡{t99̣2uts \fJԎnIsBG4_ D>+a_M,#?0.ƌ]ZS*QJRL(%fޕa+걪VR╯?(> ;Ue"3|s=Mɕ@*9ZAȈq;ZGT€،X\}#[h]]!k"6}:_w%9jwooW[u{{sپ\YX ky/m25^ ^9l]28SΘKs!Yx9Kxu< /ELyx&y|L"a^e9DM@ :[ [LjKOA~iJJm85g%^NWcWC@mj7~Z (CQqXi¸\(:hO1v{qt/ۅfRZl<'%'W5'WR[9]#WN9ǐ:s9 ??gBs3˜|' _z9_ sVE\/r/~/r{"g@9yyCȣ9 s ,' ȿɇ̙K̙..ȟn|ȗ+W9~s匿匿ϡ _?}}ʡϐ9/9g|sw7y@79{wCNr!oY 7NoR8G9B(^*UykOy<߇yVU ?^`kW9x 挿 {%k?v'}иCJW\}em'}x=VU]Z\r'Y%P.YCIsDwev' N=Bo\gU=n[d$oqa>Fg4[`?ZazOם CחUc%:i>cP4lKEB'hZc( FZg8 a箩-grfDdU:.UJ0X^&(d@#غ7 {%}C7"fȣ\ q u+[t%.$ }:_l(*V(6of.2^6T<'U~ m'0̦IW"nCrǶ;3%tXS@e8>cc>m\=]wtn#k:.vԙe*qR Hv7q>+s홰o27L6G_4 (TC#cq}(!1FQxs$F+^0:\5m$=IKh<[5b8gC›JN鱽¤$֭(\*gz\;Rje^EHJBO/ChEaR1=zH1|t,G䷧gS9>%Ϡob/K[K9۲b/&] a1W$k$HdRݤOW=$sDJbE)۠(,,%* >#nX$">mN>Ncc'L;!/[v2 SL+4%RЌxs:xFY1m;;Cbx:vCAU Cr 3ҚSWGq2|?oGe{:okn>7q$T r8`+L-  `ꍈM@6iژH\*ylf 4 vkf㿞;P?Ba1\HdxkYoc5gx ?;<v; fC &K_BO7sS +0RO |-\las;xrmx0Ei#3E~2㡺_0kU9smtj VW6Ѐ/1OY;X/5b籧hi!A C1Xqk @{kۄ6L= &j4b>xY LW{څ$hxb " nh'xQ`$;]+qN*td&vP?g a#ٌ ML,B.7Ov!{Z|yƳc|_元>OxNž=Kf s)VR,_X0]<":+7 +Sqk~)ZByڽKRI>S}v,~vu~mG a28W<Ɠdߴ;K, mݸG_>^w?]HQAy鑢&!tOY B*D+w:9\~LzvSɕog2f#|oUBYfCժZ-Nj~ӯۊ=iQf8&rYOrѣ;7r^†mJPU&s.csM-՗