Mozilla's head of security yesterday confirmed a bug in Firefox that could be used by attackers to scout out a system prior to mounting a more thorough assault.
The flaw, said Window Snyder,
Mozilla's chief security officer, is in the browser's chrome protocol
-- "chrome" is the Firefox term for its user interface -- as she
responded to reports of the vulnerability and the public posting of a proof-of-concept exploit.
Access to a user's machine would be through one of many Firefox
extensions packaged in a flat file structure, rather than collected
into a single Java archive, or .jar file, said Snyder. Several popular
extensions, including Download Statusbar and Greasemonkey, use a flat
file structure. "Users are only at risk if they have one of the 'flat'
packaged add-ons installed," Snyder said on the Mozilla security blog.
Full story at computerworld.com