A vulnerability in the handling of the jar: URI handler has been announced. The way that browsers, notably Firefox, handle the jar: handler allows for persistent cross site scripting. Any file with the MIME type of zip can be used to exploit this vulnerability, even without the .zip extension. There’s no workaround for this issue right now. Some options include never visiting jar: links in web pages, or installing the development version of NoScript extension for Firefox. The Firefox development team is working on a resolution, but one is not available at this time. For more information, visit the Mozilla bugs page at https://bugzilla.mozilla.org/show_bug.cgi?id=369814.
In other vulnerability news, a PoC has been released for a stack overflow in Adobe Shockwave. Sun Solaris’ version of Mozilla (1.7) is vulnerable to several issues and should be upgraded.