Status update for Chrome Protocol Directory Traversal issue

Background on this issue is available here.

Impact

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  Only users that have installed “flat” packed add-ons are at risk.  Discussion about “flat” packaged add-ons is here.  A partial list of “flat” packed add-ons is available here.  If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

This bug is tracking the additional information:

https://bugzilla.mozilla.org/show_bug.cgi?id=413451

Status

Based on this new information Mozilla has changed the security severity rating to high.  A fix is included in Firefox 2.0.0.12 which be available shortly.

3 comments on “Status update for Chrome Protocol Directory Traversal issue”

  1. Jason Barnabe wrote on

    I’m fairly sure you can release 2.0.0.12 and get it into the hands of users before I can new versions of my extensions approved and updated on my users’ systems, so I’ll just wait this one out.

  2. Ronald van den Heetkamp wrote on

    Some comments:

    http://www.0x000000.com/index.php?i=503

  3. Jeff Walden wrote on

    Sorry, Ronald, but I don’t see “boasting” or “blame” there — just matter-of-fact statements, and a note that extensions that can update quickly enough can reduce the number of vulnerable users until the real fix happens.