Mozilla admits Firefox extension threat

 

Gallery

By Matthew Sparkes

Posted on 24 Jan 2008 at 07:58

Mozilla has admitted that a bug in Firefox could allow hackers access to personal data, even if a user is running a fully patched browser.

The vulnerability affects certain extensions, and allows an attacker to probe for files on a user's hard disk.

Some extensions are granted access to specific local directories, but the vulnerability allows code to explore outside of these confines and test for the presence of certain files.

"A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk. Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed," says Mozilla security expert, Window Snyder, in a blog post.

This information could give attackers a way to break into a system using known vulnerabilities in other software, warns Snyder.

Users are only at risk if they have one of the "flat" packaged add-ons installed, such as Download Statusbar and Greasemonkey.

Earlier this month it emerged that another security vulnerability in Firefox 2.0.0.11 could be used to trick users into divulging passwords for online services.