For those of you that has not been following the computer security news and blogs there is a new vulnerability in town, and it’s nasty.

The problem lies in the jar: protocol implementation used by Firefox and it enables an attacker to conduct XSS and gives them almost limitless possibilitys for malware hosting.

This is an example URI which exploits the issue:

jar:http://www.icmpecho.com/myjarshrine/yarihooo.jpg!/malwareloadingscript.html

Now, instead of copying others work which they have probably spent hours or more on to explain the issue in full, I’ll give you a short recap of the happenings and more and more exposing blog posts:

---

2007-02-08 - Jesse Ruderman logs the bug in the Mozilla bugzilla tracker. It remains unpatched and not widely known until…2007-11-07 - Researcher pdp discusses the issue and potential impact at GNUCitizen. This opens this bug up to a whole new audience and…2007-11-10 - Beford illustrates the seriousness of this issue and issues in the same family by targeting Google and Gmail and posts a new bug entry.2007-11-10 - And then Mario posts at GNUCitizen about other attack vectors including malware- and exploit-hosting.

---

During these last days we have also seen some very strange recommendations from leading scurity experts at ZDNet, Secunia and US Cert (and one at The register as well) as the most excellent Giorgio over at the Hackademix blog.

The problems with the recommendations given by these persons and/or organisations is mainly that the recommend blocking URI’s containing JAR: in webfilters and deep packet inspecting firewalls or avoid following “jar:” links.You should understand why this would be a total waste of time if you have read the above articles and in particular Giorgio’s comments on the issue.

Also you should know why if you have seen one page load another like in most web based exploits (Including the one on the Swedish Parliament’s websites this week (swedish link, sorry)). My feeling is that the first advisories were rushed out “to be first in the corporate sector” and sloppy research took its toll.

If you do want to protect yourselves for real, you might wanna download and install the NoScript extension to Firefox which also handles JAR.

Happy times!