Vulnerability In Firefox Popup Blocker

cj writes in with news of a vulnerability in Firefox's stock popup blocker discovered by Michal Zalewski. The vulnerability can allow a malicious user to read files from an affected system. The attacker would "need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't," according to the article.

Re:Anyone knows if the 2.x tree is vulnerable too?

[Tony+Hoyle]

Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.

Re:Anyone knows if the 2.x tree is vulnerable too?

[N7DR]

FYI, the auto-update to 2.0.x has been delayed a few times. It will happen sometime soon.

http://wiki.mozilla.org/Major_Update_1.5.0.x_to_2. 0.0.x

Re:Anyone knows if the 2.x tree is vulnerable too?

[iago-vL]

For what it's worth, from Zalewski's original post,

Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications

And according to him, calculating the seed isn't terribly difficult. srand() is called directly before the random file creation and is seeded with the current time, in milliseconds. That time is possible to obtain within a narrow margin using JavaScript.

Re:Anyone knows if the 2.x tree is vulnerable too?

[Tony+Hoyle]

I strongly doubt it does, because you'd fall foul of vista UAC protection - no user app should go near the systemwide temp directory (that's even if you can find it... %TEMP%, GetTempFileName, etc. will always give you the user one. AFAIK you have to dig into the registry to find the system one, or be running as a system service).

Although a bug exists (file:// bypasses some of the security checks.. fixed already apparently) the theoretical exploit as written isn't usable - probably why there's no working example

Re:Anyone knows if the 2.x tree is vulnerable too?

[Carnildo]

Thanks for the tip. I just checked my temp directory, and I've got stuff dating back to early 2001 in there.