Status update for Chrome Protocol Directory Traversal issue

01.29.08 - 05:33pm

Background on this issue is available here.

Impact

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  Only users that have installed “flat” packed add-ons are at risk.  Discussion about “flat” packaged add-ons is here.  A partial list of “flat” packed add-ons is available here.  If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

This bug is tracking the additional information:

https://bugzilla.mozilla.org/show_bug.cgi?id=413451

Status

Based on this new information Mozilla has changed the security severity rating to high.  A fix is included in Firefox 2.0.0.12 which be available shortly.

Category: Firefox, Security, Security Updates, Vulnerabilities |

chrome protocol directory traversal Firefox 2.0.0.12 is now available

The Conversation {3 comments}

  1. Jason Barnabe {Tuesday January 29, 2008 @ 8:26 pm}

    I’m fairly sure you can release 2.0.0.12 and get it into the hands of users before I can new versions of my extensions approved and updated on my users’ systems, so I’ll just wait this one out.

  2. Ronald van den Heetkamp {Thursday January 31, 2008 @ 2:07 am}

    Some comments:

    http://www.0×000000.com/index.php?i=503

  3. Jeff Walden {Thursday January 31, 2008 @ 3:07 am}

    Sorry, Ronald, but I don’t see “boasting” or “blame” there — just matter-of-fact statements, and a note that extensions that can update quickly enough can reduce the number of vulnerable users until the real fix happens.

Speak Your Peace

  • Comment Policy:Could go here if there's a nagging need Login Instructions: Would go here if there's a desire.