Mozilla Ranks Firefox Bug Threat

By Dave Nixon

Mozilla has increased the threat ranking for an unpatched Firefox bug to “high,” and assures that a fix is imminent in Version 2.0.0.12, now set for release on 5 February.

Window Snyder, the company’s head of security, corroborates that the browser can be exploited to steal “session information, including session cookies and session history, when running any of more than 600 add-ons.”

Snyder’s recognition followed an update by Gerry Eisenhaur, the researcher who first reported the Firefox problem. “There seems to be some confusion about what exactly the severity of this vulnerability is,” Eisenhaur said on his hiredhacker.com blog. “This is not a chrome privilege escalation, but it is worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session, including windows, tabs, cookies, etc.”

When Eisenhaur raised the topic last week, Mozilla rated the threat as only “low,” but started working on a patch. Snyder said on Tuesday a patch would be included with Firefox 2.0.0.12, a security update presently planned for a 5 February release.

“Firefox is not vulnerable by default,” Snyder added. “Only users that have installed ‘flat’ packed add-ons are at risk.”

Her admonition may be an unresolved point for most Firefox users, however, since such add-ons are voluminous. For instance, a limited list published on Bugzilla, Mozilla’s bug management database, including YouTube-It and Foxmarks Bookmark Synchroniser, runs to more than 600 Firefox extensions.

Snyder advocated add-on authors to renew their extensions by packaging them as .jar (Java Archive) files to render them resistant to the vulnerability.

Alternately, Firefox users can install the popular NoScript extension to block exploits, despite which add-ons have been installed.