Mozilla has taken another security blow with the discovery that Google user accounts can be accessed through a dangerous Firefox exploit.<\/p>\n
The vulnerability, which is still in the wild some 10 days after its discovery on gnucitizen.org, allows hackers to access Google accounts, including Gmail, with cross-site scripting attacks.<\/p>\n
A client or server-side exploit can be inserted into .zip files via open document formats from Microsoft Office 2007 and OpenOffice, and uploaded to a server where the Firefox JAR protocol extracts the compressed data.<\/p>\n
While Mozilla has not issued a solution to the problem, application firewalls and proxy servers can be used to block Windows Universal Resource Identifiers (URIs) that contain the JAR protocol, while Web administrators can use a reverse proxy to prevent malicious content from being uploaded.<\/p>\n
Users can download a NoScript add-on for Firefox to block JavaScript and executable content from untrusted Web sites, and can secure their Google accounts by remaining signed out whenever possible.<\/p>\n