It happened in the past and it's happening again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users have been protected since August 2007.

NoScript prevents all chrome: URIs from being loaded as scripts in web content, effectively neutralizing this bug (and a bunch of related ones), no matter if the attacker site is "trusted" (i.e. allowed to executed JavaScript) or not.

Security bugs may live ten days only...
A NoScript fix is forever :)

8 Responses to “Old NoScript Tricks Blocking New Vulnerabilities”

  1. #1 Gareth Heyes says:

    Awesome work as always Giorgio!

  2. #2 Marco Ramilli says:

    Yes, good job !!
    I've always believed that NoScript was an useful toll but now my believe is much more strong !

  3. #3 Darknico’s Blog » Firefox: Falla Chrome Directory Traversal says:

    [...] Come riporta Giorgio Maone, autore di geek italiano e autore di popolari estensioni per Firefox come FlashGot e NoScript, la potente estensione di sicurezza NoScript è in grado di impedire agli URI chrome di essere caricati come script nei contenuti web, rendendo così questo bug impossibile da sfruttare, indipendentemente dal fatto che il sito dell’attacker sia impostato come sicuro (cioè gli sia permessa l’esecuzione di codice JavaScript). [...]

  4. #4 Vinicius K-Max says:

    NOScript is the best!

  5. #5 clic says:

    Grande estensione, è la prima che scarico per firefox quando ho un computer fresh-install ;) - complimenti

  6. #6 Alexandr Ciornii says:

    Is this small vulnerability (allowing reading unimportant files) worth disabling JavaScript? I don't think so.

  7. #7 Giorgio says:

    @Alexander Ciornii:

    1. This was not that small. After an initial rating of "moderate", its security severity escalated to "high" because it actually allowed reading the session store (where authenticated sessions are persisted), and therefore accessing your protected sites.
    2. If you read carefully the 2nd paragraph of my post, you'd know that NoScript blocks this and similar attacks no matter if the site is trusted or not, i.e. you don't need to keep JavaScript on a certain site to be protected
  8. #8 » Clickjacking Protection By Default says:

    [...] this feature had been introduced mainly to make Gareth Heyes happy, more than one year ago. As often observed with NoScript, an old feature happens to be effective against new threats. Unfortunately, bugs happen too and [...]

Bad Behavior has blocked 924 access attempts in the last 7 days.