Firefox Is Not Vulnerable By Default.

Says Window Snyder.A new post by Window Snyder blames the extension developers about the directory traversal problems in Mozilla products most notably Firefox between the lines. The latest issue has gotten a severity rating of 'high' after some debate. Quite strange, I talked about the directory traversals back in 2007 before. And noted that this can be an issue. Finally it's accepted as such when someone releases a proof of concept that suddenly is severe. So, obvious it isn't enough of an issue when you explain that it's possible to traverse directories, no you'll need to release actual exploits to wake them up. Window Snyder thinks that we as extension developers are doing some insecure jarring. Well, let me wake them up again: It has nothing to do with our plugins --yes it can facilitate these issues-- but they are not a priori responsible for it. It's a chrome issue that doesn't look after encoded URI's. Almost everywhere in the Mozilla source URI's are normalized, decoded back, disallowing directory slashes, and such things. But not here, No let's blame the developers that submitted un-jarred extensions. Read that again: un-jarred extensions. They think that the problem stops there. That is a stupid assumption. When Firefox boots up it un-jars itself so to speak. So, when you run Firefox it's out-of-tha-jar already. That's why the resource:// scheme can traverse back with the same encoded dots. I wrote about it here: Firefox Directory Traversal example That isn't a plugin, that's Firefox screwing up on a Windows platform.Sorry to say but I start to loath that Mozilla chest pounding about the safest browser more and more each day. Why not just say: "OK, we have a problem, we once again dropped the ball". instead of boasting that Firefox is not vulnerable by default, that I would expect Microsoft to say 10 years ago. I guess it is some good advise to take some time to really fix these issues, instead of patching each and every issue for fifty percent and telling everyone Mozilla can patch it in 10 days. And why even bother? just write a good browser instead of competing about something that surfers do not care about, the appreciation follows itself I figure.