[ insider_reports_insider ]
Jarring Firefox Exploit Endangers Google Accounts
David Utter
Staff Writer
2007-11-14
 Insider Reports RSS Feed
Through the use of a malicious .jar file, an attacker could grab details of a victim's Google Account, and the flaw enabling this has been known for months.
 | | Jarring Firefox Exploit Endangers Google Accounts |  |
The flaw in question has been part of Mozilla's Bugzilla tracking system since February 2007. It just gained a little more urgency as details of a dangerous way it could be exploited have been revealed.
Well-known security researcher Petko D. Petkov, a.k.a pdp, recently posted a discussion of the dangers of .jar on the GNUCITIZEN blog. "The protocol is nothing more but a mechanism for pulling content from compressed files," pdp said in briefly describing what .jar does.
The issues with it quickly become much more serious in the context of how this flaw can affect the real-world Internet user:
Once the malicious Zip/Doc/Odt/Etc/Etc/Etc file is uploaded/shared attackers will be able to cross-script the origins in whatever way they like. My research led to the discovery of many applications that are affected by this issue including some coming from top software vendors such as Google and Microsoft. Their number is so big that it makes almost no sense to try to list them all here or even be bothered to individually investigate all of the related issues in detail. The root cause is only one: the jar: URL protocol handler.
Another security researcher, beford, found the .jar problem being compounded by open redirect issues at Google that have yet to be corrected. Meanwhile, DailyApps tested this exploit against a Google Account and found it does work.
As a workaround for Firefox users, the latest version of the NoScript add-on will protect against these .jar attacks.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
