Mozilla still working on JAR: protocol flaw

It was 11 day ago when JAR: protocol vulnerability in Firefox was reported by pdp.

According to Bugzilla entry #369814 upcoming Firefox 2.0.0.10 (tests done with Gecko/2007111504) are immune to this vulnerability.

A Mozilla Security Blog entry posted by Mozilla security chief Window Snyder has been released too.

However, as a workaround NoScript version 1.1.7.8 and later may prevent this vulnerability from being exploited, as US-CERT VU#715737 states.

The fact is that the Bugzilla report mentioned was filed as security sensitive on 8th Feb already. The disclosure of Petkov made it public.

Share
  • Jordan

    And that is why sometimes it takes a little full-disclosure to get things going. How many releases of Firefox have come out since Jesse first privately discovered it?! Too many.