Firefox popup exploit allows file snooping | The Register

Skip to content

Security:

News Tools

Reg Shops

Top Stories

Read more top stories

Related Whitepapers

Solution Brief: Reduce Energy Costs
With Green IT Solutions
Search Engine Link Spam
Risks, Threats, Solution
Gartner Paper: US Data Centers - The Calm Before the Storm
How to handle future energy demands
Enforce Your Email and Web Acceptable Usage Policies
Not Just Words
Gartner Report: How IT Management Can "Green" the Data Center
Establishing energy efficiency
Eliminating the Security Risk of Sending Confidential Information by Email
Email Encryption

The Register » Security » Enterprise Security »

Firefox popup exploit allows file snooping

Pop goes the weasel

By John Leyden → More by this author

Published Wednesday 7th February 2007 19:35 GMT

A vulnerability in Firefox's popup blocker software creates a means to read files from affected systems, security researchers warn.

The flaw, coupled with some tricksy coding, establishes a mechanism for hackers to read user-accessible files on vulnerable system, thereby creating a means to swipe sensitive information. Firefox version 1.5.0.9 is known to be exposed to the exploit. Other versions of the popular web surfing package might also be affected.

The vulnerability was discovered by security researcher Michal Zalewski who said the exploit relies in part on the fact that normal URL permission checks, which would stop remote sites from accessing a user's filespace, are bypassed when a user chooses to manually allow a blocked popup.

For the attack to succeed hackers would have to place a predictably named file with exploit code on the target system, which sounds difficult but is far from impossible as a technical article on the flaw by Securiteam explains. ®

Email Encryption report: Eliminating the Security Risk of Sending Confidential Information by Email

Track this type of story as a custom Atom/RSS feed or by email.

Related stories

Flaws galore in IE and Firefox (5 June 2007)
Mozilla patches faulty patch (7 March 2007)
Firefox fix lances memory corruption bug (26 February 2007)
Broadband routers welcome drive-by hackers (15 February 2007)
The Fear biz is the computer security biz (11 February 2007)
Firefox 2.0: happier browsing, but secure? (30 January 2007)
Firefox update guards against critical flaws (21 December 2006)
IE and Firefox blighted by fake login flaw (23 November 2006)
Firefox outshines IE in phish fight (15 November 2006)
Firefox update aims to lance security bugs (9 November 2006)

Post to Slashdot

Add to del.icio.us

Previous Article

From small embedded OS to the world's most used open mobile OS

whitepaper title

Solution Brief: Reduce Energy Costs

Energy consumption has become a big issue. Dramatically increase server utilization and significantly reduce energy costs through Virtualization..

whitepaper title

Search Engine Link Spam

Spammers are constantly finding new, creative ways to attack your network. Learn how search engine links are the latest weapon of choice.

Whitepapers	Jobs
Reducing your Carbon Footprint A Modern-Day Marriage of Business Benefit and Risk Reduction Software Smart Cards via Cryptographic Camouflage What Every E-Business Should Know about SSL Security and Consumer Trust	Perl/PHP/Rails/HTML/CSS/Javascript developer Object-Oriented Perl Superstars Needed Sr PERL Developer Experiened Perl Developer Full-time PERL / CGI Programmer for UNIX environment

Top 20 stories • All The Week’s Headlines • Archive • Search