RealTime IT News

Missing Mozilla Firefox flaw revealed in release

From the "did you guess that?" files:
Mozilla has revealed the 'mysterious' clerical error missing flaw that it omitted from the Firefox release earlier this week. It's the Cross-domain data theft via script redirect error message dealt with in Mozilla Foundation Security Advisory 2008-65
This is a "High" impact vulnerability that if exploited could potentially have been used by a malicious website to steal private data from users who are authenticated on the redirected website.  The attack would have needed a same-domain JavaScript URL that would have redirects victims to a different domain that contain non-parsable JavaScript.
I personally to date have not seen a weaponized version of this attack (though it doesn't on the surface sound to be to difficult to build). Kudos to Mozilla for admitting they made an error here though - and more importantly for fixing it so quickly.
Now Firefox 2.x can finally be put to rest. 

I am however curious as to whether or not this same attack is possible in Firefox 3.1 Beta 2 which was not updated for this fix (Firefox was). Firefox 3.1 however uses the Tracemonkey JavaScript engine and has many security enhancements in it over the regular Firefox 3.x browsers.