Firefox 2 Security Update Coming - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
11/21/2007
02:55 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Firefox 2 Security Update Coming

The fix addresses a Java Archive handling bug that could allow a malicious attacker to hide exploit code in a .jar file.

Even as Firefox 3 moves into beta, Firefox 2 is getting a security makeover.

The Mozilla Quality Assurance Community has called for volunteers to help test Release Candidate Builds of Firefox 2.0.0.10, which is expected to be released next week, following the Thanksgiving holiday.

Firefox 2.0.0.10 addresses a Java Archive handling bug that was first reported back in February. The vulnerability allows a malicious attacker to conduct a cross-site scripting attack by hiding exploit code in a Java Archive (.jar) file. This is because the .jar protocol is not restricted to .jar files and will open .zip files, which can be malicious.

"In simple terms, [this] means that any application which allows upload of .jar/.zip files is potentially vulnerable to a persistent cross-site scripting," said Petko Petkov, founder of security consultancy gnucitizen.org, in blog post earlier this month. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document sharing systems, almost everything that smells like Web 2.0, etc., etc., etc."

The browser update also addresses a redirection bug related to .jar/.zip files.

The Mozilla Security Blog notes that this exploit has been demonstrated to work against Gmail as a way to access the victim's stored contacts.

"In future versions Firefox will only support the jar scheme for files that are served with the correct application/java-archive MIME type," says the Mozilla Security Blog. "Firefox will also adjust the security context to recognize the final site as the source of the content. This will be addressed in Firefox 2.0.0.10, which is currently in testing."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll