Thumb twiddling Mozilla promises fix for privacy-biting bug
Mozilla's head of security has promised a patch for a dangerous vulnerability that's been lurking in the popular Firefox browser for more than eight months.
The new urgency in fixing the jar: protocol handler comes after bloggers in recent weeks demonstrated how the vulnerability could wreak real-world havoc, including allowing attackers to steal a victim's Gmail contacts. Short for Java Archive, the jar: protocol is used to compress Java classes and other types of files into a single file. Problem is, the protocol will open any zip-formatted file without first validating the MIME type of the archived contents. Malicious content is then run in the context of a trusted site.
At The Register.
[ Read more ]