Software // Enterprise Applications
News
11/21/2007
02:55 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Firefox 2 Security Update Coming

The fix addresses a Java Archive handling bug that could allow a malicious attacker to hide exploit code in a .jar file.

Even as Firefox 3 moves into beta, Firefox 2 is getting a security makeover.

The Mozilla Quality Assurance Community has called for volunteers to help test Release Candidate Builds of Firefox 2.0.0.10, which is expected to be released next week, following the Thanksgiving holiday.

Firefox 2.0.0.10 addresses a Java Archive handling bug that was first reported back in February. The vulnerability allows a malicious attacker to conduct a cross-site scripting attack by hiding exploit code in a Java Archive (.jar) file. This is because the .jar protocol is not restricted to .jar files and will open .zip files, which can be malicious.

"In simple terms, [this] means that any application which allows upload of .jar/.zip files is potentially vulnerable to a persistent cross-site scripting," said Petko Petkov, founder of security consultancy gnucitizen.org, in blog post earlier this month. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document sharing systems, almost everything that smells like Web 2.0, etc., etc., etc."

The browser update also addresses a redirection bug related to .jar/.zip files.

The Mozilla Security Blog notes that this exploit has been demonstrated to work against Gmail as a way to access the victim's stored contacts.

"In future versions Firefox will only support the jar scheme for files that are served with the correct application/java-archive MIME type," says the Mozilla Security Blog. "Firefox will also adjust the security context to recognize the final site as the source of the content. This will be addressed in Firefox 2.0.0.10, which is currently in testing."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.