A flaw in the pop-up blocker of the open-source browser Firefox could allow an attacker to access local files, according to security analysts.
The flaw, however, does not affect Firefox 2.0, the latest version of the browser, but version 18.104.22.168, according to Beyond Security, which credited the find to Michal Zalewski.
The attack could occur if a user manually allows a pop-window to appear. The browser normally blocks access to local files, but when a pop-up is manually allowed, "normal URL permission checks are bypassed," Beyond Security said.
To make the hack work, however, a malicious file containing the exploit code would have to already be on the system, the advisory said. The file could be planted on the system by enticing a user to click on a link that would download the file.
The malicious file could then enable access to other files, which could be transferred to a remote server. Mozilla Corp., the distributor of Firefox, could not immediately comment on the report.