New flaw in the Firefox "jar" protocol handler...

polonus · November 10, 2007, 6:08pm

Hi malware fighters,

A new protocol handling problem has been found in the Firefox “jar” protocol handler, exposing users to site scripting attacks.

Important advisory: latest NoScript development
version offers protection against the XSS dangers
originated by jar: URIs. Please help us testing this
beta.
http://noscript.net/

pol

polonus · November 17, 2007, 5:26pm

Hi malware fighters,

Allthough FF developers knew about the hole since Febr. last, they are still working on a final patch that seems round the corner now:
http://blog.mozilla.com/security/2007/11/16/jar-protocol-xss-security-issues/

pol

DavidR · November 17, 2007, 5:52pm

There is always the latest windows patch which is supposed to address the URI issue with XP and IE7, patch is also for IE6.

http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx

Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)

Lisandro · November 19, 2007, 6:05pm

Is it available through Windows Updates?

DavidR · November 19, 2007, 6:18pm

Yes it is in the Nov 2007 batch of security updates.

polonus · November 19, 2007, 6:21pm

Hi malware fighters,

See how NoScript protects you:
https://bugzilla.mozilla.org/attachment.cgi?id=289243

pol

Lisandro · November 19, 2007, 6:34pm

Thanks for the test. I’m fully protected.

system · November 20, 2007, 5:42am

polonus

Thanks for the test and i am protected as well.

Cheers crofty59

system · November 20, 2007, 12:54pm

polonus-i uninstalled firefox because of all the security issues,extensions problems i was having and all the other issues it’s having of late-using opera mainly now-will go back to using firefox also when the smoke clears

New flaw in the Firefox "jar" protocol handler...

Announcements