We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Critical Firefox fix coming next week

Mozilla ups Firefox 2.0 bug threat

Mozilla has bumped up the threat ranking for an unpatched Firefox bug to 'high', but promised a fix is coming in Version 2.0.0.12, now slated for release on February 5.

The company's head of security, Window Snyder, confirmed that the browser, when running any of more than 600 add-ons, can be exploited to steal "session information, including session cookies and session history".

Snyder's acknowledgment followed an update by Gerry Eisenhaur, the researcher who first reported the Firefox problem. "There seems to be some confusion about what exactly the severity of this vulnerability is," Eisenhaur said on his hiredhacker.com blog. "This is not a chrome privilege escalation, but it [is] worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session, [including] windows, tabs, cookies, etc."

Last week, when Eisenhaur broached the subject, Mozilla rated the threat as only 'low', but began working on a patch. Yesterday, Snyder said a patch would be included with Firefox 2.0.0.12, a security update currently scheduled for a February 5 release.

"Firefox is not vulnerable by default," Snyder added. "Only users that have installed 'flat' packed add-ons are at risk."

Her caveat may be a moot point for most Firefox users, however, since such add-ons are legion. For example, a partial list posted on Bugzilla, Mozilla's bug management database, runs to more than 600 Firefox extensions, including YouTube-It and Foxmarks Bookmark Synchronizer. Snyder urged add-on authors to update their extensions by packaging them as .jar (Java Archive) files to make them immune to the vulnerability.

Alternately, Firefox users can install the popular NoScript extension to block exploits, regardless of which add-ons have been installed.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Stop running out of cellular data on your iPhone, see which apps use the most data