Mozilla to fix 9-month-old JAR URL handling bug

Keywords: Match:

Nov. 19, 2007

Mozilla is working to fix a flaw in the JAR URL handler that could leave Firefox users open to cross-site scripting attacks that are impossible for anti-virus programs to prevent.

It turns out that the vulnerability, first reported in February by Jesse Ruderman, is far more serious than first realized. In fact, it turns out to be endemic to "almost everything that smells like Web 2.0," security researcher Petko D. Petkov, also known as "pdp" of GNUCitizen, wrote in a Nov. 7 posting.

At risk are any applications that allow the upload of JAR/Zip files, such as Web mail clients, collaboration systems or document sharing systems, Petkov wrote. A JAR (Java Archive) file, used for aggregating multiple files into one, is generally used to distribute Java classes and associated metadata, but the protocol is not restricted to use with Java archives and will open any .zip format file.

Document formats, such as the ODT (OpenDocument Text) file format in OpenOffice and the Microsoft Office 2007 Open Document Format, are both based on Zip and as such are particularly vulnerable, Petkov said.

To continue reading this article by Lisa Vaas at eWEEK.com, go here.

(Click here for further information)

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.