Risk: High
Two flaws recently discovered in Firefox could permit locally saved files to be accessed by hackers.
Normally, Firefox doesn't allow websites to access files that are stored locally, but this URL permission check is superseded if a Firefox user manually turns off pop-up windows. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them. A possible scenario for such an attack would involve the user clicking on a malicious link that would furtively plant a target file equipped with an exploit code on the computer's hard drive. Then it would display a prompt asking the user to allow a pop-up to appear in order to play a video file or download. The attacker-supplied file would then be loaded thanks to the browser flaw, which could give the attacker local file read privileges. It appears that this flaw may only apply to older versions of Firefox, prior to the current 2.0 release.
The second flaw concerns Firefox's phishing protection feature. With this vulnerability, an adept phisher could fool the browser into believing that a fraudulent site is actually secure by adding particular characters into the URL of its website. This flaw appears to apply to the current 2.0.0.1 version of Firefox.