A vulnerability in how Firefox handles chrome: addresses, which are used to load specific Firefox and extensions’ interface elements like windows, buttons and dialogs, could allow a malicious site to access local files in known locations.

The vulnerability affects extensions that are installed as a set of uncompressed files, as opposed to the more common .jar files. Download Statusbar and Greasemonkey are some of the most popular extensions affected.

Devon Jensen, developer of Download Statusbar has promptly released an update (0.9.5.3) that repackages the extension as a .jar file. If you are using this extension you can update by loading the Addons Manager (in the Tools menu, select Add-ons) and clicking on Find Updates.

There are many extensions that are deployed this way so it’s very hard to tell if you are affected or not. In the meantime you may want to disable temporarily your less frequently used extensions.

Mozilla Security has acknowledged the vulnerability (with an initial serverity of low) and is working on a solution as you read this.