- Nokia's new N97 vs. the iPhone
- Talk-powered cell phones?
- FBI: Copper thieves jeopardize U.S. infrastructure
- 10 Microsoft research projects
- Smartphone smackdown: Storm vs. iPhone
Mozilla is working to fix a browser flaw that could give attackers unauthorized access to data on a victim's machine.
The problem is similar to other data leakage flaws found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on Saturday.
Eisenhaur has posted sample code that reads the contents of a Mozilla Thunderbird preferences file, but he believes that attackers could get access to more information with variations on his attack. "It's possible to load any JavaScript file on a victim's machine," he wrote in his blog posting. "This looks very interesting and may have bigger potential, but for now, it's just another information disclosure [flaw]."
"It could become something more if there was an application that stored sensitive data inside JavaScript files," he said via instant message. "Some plugins have been known to store usernames and passwords."
"Its also just a powerful way to do recon," he added.
Hackers have discovered a number of flaws in recent months that take advantage of the way that browsers pass information between different components within the Windows operating system. Some of these URI (Uniform Resource Identifier) protocol handler flaws have led to serious security problems for both Firefox and Internet Explorer.
This latest flaw affects only certain Firefox add-ons, such as the Download Statusbar or Greasemonkey, which store scripts in a fashion that lets them be discovered on the hard drive, said Window Snyder, Mozilla's security chief in a Wednesday blog posting.
Firefox is investigating the issue and has rated it as a low-severity problem, she said.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment