A very non-obvious Firefox security hole plugged

, posted: 21-Mar-2007 13:59

FirefoxA Firefox update arrived,, as I was typing a way here on deadlines. I thought it was a bit odd because came out not so long ago, fixing a whole lot of security issues.

The latest update also sorts out a security problem, but I was intrigued by its nature as it's one of those less-than-obvious things again, and I think it illustrates quite well just how difficult computer security is to get right.

Mozilla implements File Transfer Protocol as per RFC 959, which amongst other things specifies that an FTP server can implement the PASV or Passive command to redirect clients to other IP addresses. Although you wouldn't think such a feature has any security implications, it now turns out that a maliciously-coded FTP server can be used to trick Firefox and other browsers into divulging details about your internal network.

The details on the vulnerability are here on mark@bindshell.net's site but it's worth pointing out that it's not a serious security issue as such but more an unwanted information leakage one. It's not a flaw either per se, but unexpected use of a feature that's been around for donkey's.

Both version 6 and 7 of Internet Explorer are not vulnerable, incidentally, as they ignore the PASV redirection. With, Firefox does the same, so make sure you update to avoid possible unwanted snooping on your network.

If anything, this vulnerability is a good reason to continually evaluate existing standards in the light of an increasingly hostile Internet.

Other related posts:
Do you still use PPTP for your VPN? Don't.
Conficker wreaks havoc
Symantec antivirus makes encrypted files inaccessible on Vista

comments powered by Disqus


Google News search
IT News
PC World New Zealand
Computerworld NZ
PC World and Computerworld Australia
PC World US
Computerworld US
NZ Herald
Virus Bulletin

Content copyright © Juha Saarinen. If you wish to use the content of my blog on your site, please contact me for details. I'm usually happy to share my material as long as it's not for spamblogs and content farms. Please attribute with a link back to this blog. If you wish to advertise on my blog, please drop me an email to discuss the details.
Comments policy All comments posted on this blog are the copyright and responsibility of the submitters in question. Comments commercial and promotional in nature are not allowed. Please ensure that your comments are on topic and refrain from making personal remarks.