Firefox Extensions Lift the Keys to the Kingdom
January 25th, 2008 by Justin Ryan
Attackers have myriad ways of gaining access to systems; some are as basic as asking their way in, while others are a bit more high-tech. According to a new Mozilla security bulletin, your Firefox extensions could be the key the hackers are looking for.
The vulnerability — discovered and demonstrated by security researcher Gerry Eisenhaur — involves exploiting so-called "flat" Firefox extensions to access information stored elsewhere on the system. "Flat" extensions are ones not contained within a .jar, which allows an attacker to escape the extensions directory and load files housed elsewhere. Mozilla believes that attackers could use the exploit to harvest information about vulnerability to potential attacks. While security teams are investigating, Mozilla has classified the exploit as low priority, so no news on when it may be fixed.
Mozilla identified two popular extensions — Download Statusbar and Greasemonkey — as vulnerable to the exploit, while the NoScript extension is reported to prevent the attacks.
Read more.
__________________________
Justin Ryan is News Editor for LinuxJournal.com.
Visit Linux Journal on IRC.
Delicious
Digg
Reddit
Newsvine
TechnoratiSubscribe now!
Recently Popular
| What happens after TV's mainframe era ends next February? | Jul-05-08 |
| Why Python? | May-01-00 |
| Building a Call Center with LTSP and Soft Phones | Aug-25-05 |
| Editors' Choice 2006 | Nov-01-06 |
| Time to school the FCC on what "free" really means | Jul-02-08 |
| An Open Video to HP | Jul-02-08 |
Featured Video
Shawn Powers has a message for hardware vendors. Listen up!
From the Magazine
July 2008, #171
Heard of the Web? If not, read on. This month we talk with Matt Mullenweg about WordPress. If you want to get your hands dirty in Web code, take a look at the rest of our feature articles on WebKit, Dojo and OpenLaszlo.
In the rest of the issue, you'll find articles on OpenID, RDFa and Quanta Plus.
Kyle Rankin puts a new spin (as in "no" spin SSD) on hard drives and
also tells you how to migrate to that new disk (spinning or not).
Mick Bauer continues his series on customizing live CD's.
And, James Gray gives us a feel for the state of Linux in the enterprise.
After all that, you may need some TV time. If so, check out our review
on how to make that digital TV tuner card work in your Linux box.
Download Statusbar
On January 27th, 2008 Anonymous (not verified) says:
Well damn, I love the status bar.
Me too
On January 27th, 2008 Justin Ryan says:
I have both Greasemonkey and Download Statusbar, so I was initially quite alarmed - however, I also use NoScript, so I'm supposedly safe. It's a pretty neat extension, at least worth a try - a bit annoying at first, until you get used to checking it when things don't work as you expect, but outside that, pretty neat.
__________________________Justin Ryan is News Editor for LinuxJournal.com.
Visit Linux Journal on IRC.