A patched version of Mozilla's Firefox browser released on Friday isn't quite as watertight as it should be, according to a security researcher.
On Friday, shortly after Mozilla released a patch for a high-profile directory-traversal flaw - along with nine other patches - Dutch programmer Ronald van den Heetkamp posted proof-of-concept code which he claims shows that the bug is still exploitable.
The original bug could be exploited when Firefox was running any of more than 600 add-ons to steal "session information, including session cookies and session history," according to Mozilla, which ranked it as "high" severity.
But the patch that arrived on Friday only fixes "50 percent" of the problem, according to van den Heetkamp.
"I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins," he wrote in an advisory.
He said the attack vector had only taken "a couple of minutes" to come up with, and that other similar holes could remain.
Mozilla dismissed the issue as unimportant.
Van den Heetkamp is "simply mistaken" about the matter, according to Mozilla chief evangelist Mike Shaver.
"The files to which Ronald demonstrates access do not have the user’s settings, though he claims otherwise," Shaver wrote in a blog entry. "Those files (the user’s data) are not stored in the Program Files hierarchy on Windows, or the equivalent on other operating systems. Instead, the preference files that he is showing in his 'exploit' are ones that are defaults that are shipped with Firefox, and made freely available on the web."
Among Friday's 10 Firefox patches were three for critical vulnerabilities, which could allow an attacker to read sensitive information, bypass certain security restrictions, conduct spoofing attacks, or compromise a user's system, according to Mozilla.