A few hours after the release, a hacker has discovered the flaw, where he recommends using the NoScript plugin. In the mean time you can either use another browser, or install the NoScript plugin to mitigate these issues.
"Don't patch vulnerabilities for fifty percent, take the time and fix the cause. Because directory traversal through plugins is all nice and such, we don't need it. We can trick Firefox itself in traversing directories back. I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins.," said Ronald van den Heetkamp to Mozilla.
A proof of concept is available at this web site http://www.0x000000.com
"Don't patch vulnerabilities for fifty percent, take the time and fix the cause. Because directory traversal through plugins is all nice and such, we don't need it. We can trick Firefox itself in traversing directories back. I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins.," said Ronald van den Heetkamp to Mozilla.
A proof of concept is available at this web site http://www.0x000000.com
Errr, what is meant to happen on the example ? It doesn't effects my Firefox V1 ;s
Just to clarify, with regards to the "directory traversal exploit":
1. This issue was not introduced in 2.0.0.12, it has been known about for some time and is a low priority issue because......
2. The only place this vulnerability can access is the Firefox folder in Program Files. Nothing of interest or security concern is stored here, only the default preferences file (not even your browser preferences). This vulnerability cannot access your profile directory in Documents and Settings, where your cookies, passwords etc are stored.
They should get around to fixing it, I just hate it when these things are blown out of all proportion.
The PoC currently on the front page of that site (the URI spoofing) is a little more interesting and dangerous, however, since that could in theory steal your user info (although, as is the case with all these things, it's very unlikely).
Just to clarify, with regards to the "directory traversal exploit":
1. This issue was not introduced in 2.0.0.12, it has been known about for some time and is a low priority issue because......
2. The only place this vulnerability can access is the Firefox folder in Program Files. Nothing of interest or security concern is stored here, only the default preferences file (not even your browser preferences). This vulnerability cannot access your profile directory in Documents and Settings, where your cookies, passwords etc are stored.
They should get around to fixing it, I just hate it when these things are blown out of all proportion.
The PoC currently on the front page of that site (the URI spoofing) is a little more interesting and dangerous, however, since that could in theory steal your user info (although, as is the case with all these things, it's very unlikely).
It gets blown out of proportion because the open source "communist" (joke) propoganda machine kept pusing into people head how FF is the holy grail of security, stability and perfect coding when eventually it is not, it is however a fine example of how to support web standards and for customability options....
Tho I defiantly prefer Opera (faster and more secure) and Maxthon (fast and reliable)
Also: view-source/resource “vulnerability” does not expose personal information
The article didn't say it was. It said "still", that doesn't mean introduced.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.