ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Flaw reported in updated Firefox

Tom Espiner ZDNet.co.uk

Published: 11 Feb 2008 12:48 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A potential flaw has been reported in the latest version of Mozilla's Firefox web browser, version 2.0.0.12.

Vulnerability researcher Ronald van den Heetkamp published a directory traversal flaw in Firefox version 2.0.0.12 on Friday, hours after the release of the latest version of the browser.

A directory traversal flaw enables an attacker to potentially access another user's remote files due to insufficient security validation. The alleged flaw found by van den Heetkamp makes use of the Firefox "view-source:" feature.

"In the vulnerability we make use of the 'view-source:' scheme that allows us to source out the 'resource:' scheme," wrote van den Heetkamp. "With it, we can view the source of any file located in the 'resource:///' directory, which translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the file inside it and it becomes available to a new page's DOM, and so we are able to read all settings."

Read this

Feature
Special report: Anatomy of a hack attack

We recreate a typical attack on two large organisations

Read more +

The vulnerability researcher claimed the proof-of-concept flaw enables an attacker to read preferences in Firefox, or to open files stored in the Mozilla program files directory. A workaround is to install a NoScript plugin.

Mozilla released Firefox version 2.0.0.12 on Friday, patching 10 security vulnerabilities, including a different directory traversal flaw in Firefox's "chrome" user interface that had been confirmed by Window Snyder, Mozilla's head of security, in January.

Mozilla Europe had not responded to a request for comment at the time of writing.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
5 out of 5 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Junior Quant Researcher - Quantitative Finance - Top Hedge Fund

My client, a prestigious London Hedge Fund is currently looking to hire a top class researcher to work within modern quantitative finance, developing ...

C#, C++ RESEARCHER / DEVELOPER SOUTH OXFORD

an outstanding Software Engineer with graduate or postgraduate qualifications, preferably with a Masters and PhD in a computing or numerate ...

Junior Quant Researcher - PhD - Top London Hedge Fund

A quantitative Mayfair hedge fund is currently looking for a junior quant researcher.

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Sentry Posts Blog

Mobile Linux Better For Mobile Busines...

Mobile Linux Better For Mobile Business Apps? Author: Eric Everson, MyMobiSafe.com As mobile Linux is carving it’s footprint on the future of mobile application development, the... More

Post a comment

DWP downplays security breach

The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material. An email that was leaked on the 'Dizzy... More

Post a comment

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.

By: ator1940

Read full story:
RSA: Vendor liability may stifle innovation