WARNING: This is a dry, technical diary. No candidate impaled in the writing of this diary./WARNING
Yes, I realize that this board is dedicated to electing Democrats, and that computers and internet browsers have little to do with electing Democrats (unless, of course, you are part of the blogosphere, in which case the browser is THE most effective weapon in your arsenal).
I am writing this diary here, not just to inform you of the latest critical bug in a web browser, but to also illustrate the point that there is no SAFE anything in the computerworld. Computers, and everything on them, are as "safe" as you make them.
So, please permit me to relay this little piece of security announcement regarding a new vulnerability in Mozilla, and, by extension, FireFox.
Relaying this info is necessary because I have read quite a few postings here that encourage people to choose one browser over the other because one is "safe" and the other is not.
The completely non-geeky description of this bug is as follows:
THE PROBLEM:
Mozilla has a vulnerability that allows the stealing of (internet browser) cookies and other files from your computer if you visit a malicious site.
COOKIE? WHAT COOKIE?
- Cookies are small chunks of files stored on your computers that allow the browser to more efficiently help you get on a website and conduct whatever business needs to be conducted.
- Cookies can include small information, and they can include more than a little information.
- If an attacker can steal the cookies to your online bank, they can use the information to conduct nefarious activities on your bank account, without your knowledge.
- So, yeah, stealing your cookies is not an innocuous breach of security.
- It is also relevant to point out that, with this vulnerability, an attacker can steal much more than JUST COOKIES from your computer.
WHAT IS IMPACTED:
It is hard to describe this without getting technical, or silly. But, Mozilla is the underlying engine that powers browsers like FireFox. A flaw in one of Mozilla's components can be actively exploited to gain access through FireFox (actually, FireFox add-ons) to session cookies and other files stored on your computer.
FireFox itself is NOT the problem. And this flaw can only be exploited in FireFox if you have installed some "add-ons". A partial list of add-ons known to make FireFox vulnerable, in this case, is available here, so if you have any of those, then your FireFox is susceptible to this vulnerability.
PROTECTION:
IF you have any of the add-ons listed in that link, your best bet is to enable "NoScript" in FireFox. Alternatively, just disable or tune FireFox's Javascript support.
This bug has been fixed in FireFox 2.0.12 which will be released soon.
THE GEEKY PART (for those interested):
It's possible to steal data from sessionstore.js including cookies
Chrome Protocol Directory Traversal issue
Firefox chrome: URL Handling Directory Traversal