Mozilla's chief of security has confirmed a vulnerability that could cause fully patched versions of Firefox to expose a user's private data.

The confirmation, which was posted here by Mozilla's Window Snyder, follows the release of proof-of-concept code by researcher Gerry Eisenhaur.

The bug resides in Firefox's chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

Normally, Firefox's chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user's computer. The exploit only works if a user has made use of Firefox extensions that are "flat," this is, those that don't package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

Mozilla bug squashers have rated the severity as normal and are working on a fix. In the meantime, Firefox users can protect themselves by using the NoScript extension, which will prevent the traversal attacks from working. ®

Story updated to correct information about NoScript.

Related stories

• Firefox developers tinker with new security protections (finally) (20 May 2008)
• Firefox language pack provides adware back-door (8 May 2008)
• Opera screeches at Mozilla over security disclosure (18 February 2008)
• Firefox 3 beta is live (13 February 2008)
• Firefox updates, blitzes trio of critical bugs (8 February 2008)
• Mozilla pulls offensive viral campaign (8 January 2008)
• Contest seeks the most diminutive XSS worm (5 January 2008)
• Firefox spoofing bug raises phishing fears (4 January 2008)
• Beware of pickpockets and malware-laced banner ads (4 January 2008)
• Serious Flash vulns menace at least 10,000 websites (21 December 2007)