Status update for Chrome Protocol Directory Traversal issue

Window Snyder

3

Background on this issue is available here.

Impact

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  Only users that have installed “flat” packed add-ons are at risk.  Discussion about “flat” packaged add-ons is here.  A partial list of “flat” packed add-ons is available here.  If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

This bug is tracking the additional information:

https://bugzilla.mozilla.org/show_bug.cgi?id=413451

Status

Based on this new information Mozilla has changed the security severity rating to high.  A fix is included in Firefox 2.0.0.12 which be available shortly.

3 responses

  1. Jason Barnabe wrote on ::

    I’m fairly sure you can release 2.0.0.12 and get it into the hands of users before I can new versions of my extensions approved and updated on my users’ systems, so I’ll just wait this one out.

  2. Ronald van den Heetkamp wrote on ::

    Some comments:

    http://www.0x000000.com/index.php?i=503

  3. Jeff Walden wrote on ::

    Sorry, Ronald, but I don’t see “boasting” or “blame” there — just matter-of-fact statements, and a note that extensions that can update quickly enough can reduce the number of vulnerable users until the real fix happens.