Mozilla security chief Window Snyder has confirmed an information disclosure flaw affecting fully patched versions of the Firefox browser.
Snyder’s acknowledgment follows the public release of technical details–and proof-of-concept code–that shows how a vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present in Firefox.
This allows escaping the extensions directory and reading files in a predictable location on the disk. Because many add-ons are packaged in this way–“flat” rather than contained in a .jar–the directory, a maliciously rigged page, can be used to load images, scripts or stylesheets from known locations on the disk.
“Attackers may use this method to detect the presence of files that may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack.Some extensions may store information in Javascript files and an attacker may be able to retrieve those. Greasemonkey user scripts may be retrieved using this method. Session storage and preferences are not readable through this technique.“
Some examples of popular add-ons that are vulnerable include Download Statusbar and Greasemonkey, Snyder said.
Mozilla’s security response team rates this a “low risk” issue, but this is something that should be fixed promptly, since it makes it very easy to do reconnaissance for a targeted attack.