Original URL: http://www.channelregister.co.uk/2007/11/27/firefox_update/
Firefox update puts lid on Jar bug
Safe to surf
Posted in Software & Security, 27th November 2007 11:24 GMT
Free whitepaper – Driving Situational Awareness:
Mozilla released an update to its Firefox browser on Monday designed to address a trio of vulnerabilities [1].
Firefox 2.0.0.10 [2] addresses a bug in the open source browser's "jar:" protocol handle, a memory corruption vulnerability, and a potential cross-site scripting hazard.
The jar: protocol handle bug was first identified [3] in February by Mozilla's Jesse Ruderman, but efforts to smite the flaw didn't materialise until security bloggers demonstrated how the vulnerability could be abused to perform various exploits, including creating a possible means for hackers to steal a victim's Gmail contacts. Mozilla prioritised a bug fix shortly after the full impact of the bug became apparent.
Short for Java Archive, the jar: protocol is used to compress Java classes and other types of files into a single file. Unfortunately, the jar: protocol handler in Firefox (prior to the fix) failed to validate the MIME type of the contents of an archive, which would then be executed in the context of a trusted site.
The latest update is the tenth from Mozilla in little more than a year since the release of Firefox 2.0 in October 2006. ®