Published reports of an information leakage vulnerability affecting fully patched versions of the open-source Firefox browser have been greatly exaggerated, according to Mozilla chief evangelist Mike Shaver.
Shaver’s sharp retort follows the release of an advisory by hacker Ronald van den Heetkamp claiming that the most recent Firefox 2.0.0.12 is susceptible to a bug that allows hackers to view sensitive information on a target machine.
Information leakage can be used for reconnaissance in targeted attacks and typically rated as a “low risk” flaw, but Shaver said van den Heetkamp is “simply mistaken” about the vulnerability claim.
“The files to which Ronald demonstrates access do not have the user’s settings, though he claims otherwise. Those files (the user’s data) are not stored in the Program Files hierarchy on Windows, or the equivalent on other operating systems,” Shaver said in a blog entry. “Instead, the preference files that he is showing in his ‘exploit’ are ones that are defaults that are shipped with Firefox, and made freely available on the Web. Again, these are not user settings, but defaults that are shipped with all copies of Firefox and contain no personal information.”
Van den Heetkamp’s original alert, which has gained significant media distribution, warned that the alleged flaw can be used to trick Firefox into traversing directories.
“I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins,” he said, noting that the bug exists in the “view-source:” scheme.
On Feb. 7, Mozilla shipped a major Firefox refresh to patch at least a dozen flaws that could lead to identity theft, cross-site scripting and remote code execution attacks.
Four of the vulnerabilities are rated “critical” while three carry “high risk” severity warnings.
The open-source group warned that Thunderbird, which shares the browser engine with Firefox, is vulnerable to one of the critical vulnerabilities.