Mozilla's chief of security has confirmed a vulnerability that could cause fully patched versions of Firefox to expose a user's private data.

The confirmation, which was posted here by Mozilla's Window Snyder, follows the release of proof-of-concept code by researcher Gerry Eisenhaur.

The bug resides in Firefox's chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

Normally, Firefox's chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user's computer. The exploit only works if a user has made use of Firefox extensions that are "flat," this is, those that don't package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

Mozilla bug squashers have rated the severity as normal and are working on a fix. In the meantime, Firefox users can protect themselves by using the NoScript extension, which will prevent the traversal attacks from working. ®

Story updated to correct information about NoScript.

More comments…

Related stories

Firefox language pack provides adware back-door (8 May 2008)
Opera screeches at Mozilla over security disclosure (18 February 2008)
Firefox 3 beta is live (13 February 2008)
Firefox updates, blitzes trio of critical bugs (8 February 2008)
Mozilla pulls offensive viral campaign (8 January 2008)
Contest seeks the most diminutive XSS worm (5 January 2008)
Firefox spoofing bug raises phishing fears (4 January 2008)
Beware of pickpockets and malware-laced banner ads (4 January 2008)
Serious Flash vulns menace at least 10,000 websites (21 December 2007)