Menu
Researchers reveal another Firefox flaw

Researchers reveal another Firefox flaw

Mozilla Corp. has produced a patch for yet another critical flaw in Firefox, the latest embarrassment in a lengthening list this month for the open-source browser.

Tuesday, security researchers Billy "BK" Rios of VeriSign Inc. and Nathan McFeters of Ernst & Young, posted proof-of-concept code that exploited another URL protocol-handling bug in the Firefox and Netscape browsers.

By Thursday morning, Firefox developers had wrapped up a fix for the newest vulnerability. An automatic update to users, however, has not yet been scheduled.

Like a bug that was patched in Firefox 2.0.0.5 last week and a second that Mozilla acknowledgedMonday, this vulnerability is in Firefox's handing of URLs passed to it by other applications.

The brouhaha began more than two weeks ago, when Danish researcher Thor Larholm spotted what he said was a critical bug in Microsoft Corp.'s Internet Explorer. Larholm argued that an IE input validation bug let the browser pass potentially malicious URLs to other programs, including Firefox. He staked out the position that IE was to blame, while other security experts said it was Firefox's fault.

Monday, Mozilla's head of security admitted that Firefox was just as guilty as IE. "We thought this was just a problem with IE," said Window Snyder. "It turns out, it is a problem with Firefox as well."

The next day, Rios and McFeters spelled out their take. "IE isn't the only browser that has issues dealing with registered URI handlers," Rios said in a warning posted to his blog. "In fact, some of the behavior exhibited by URI handling issues by other browsers can lead to remote command execution." They provided exploit code that forced Firefox to launch other local programs when a malformed URL was passed to it from Internet Explorer 7 on Windows XP SP2. According to the two, only users whose machines have IE 7 as well as Firefox are at risk.

"Just to be clear, this vulnerability is delivered through the Firefox browser, not IE. You simply have to have IE7 installed somewhere on your system for this to work, which is basically most Windows XP SP2 systems," Rios said.

Synder, who responded Wednesday on her blog, said her team was investigating the vulnerability, and added: "The impact to users is unknown at this point in time. In the meantime, advise users to be cautious when browsing unknown sites."

On Thursday, however, Bugzilla shows that a patch has been written and is being tested. The next regular update to Firefox, presumably the first chance to push the patch to users, has not been scheduled.

According to notes from a Monday status meeting, discussions about the scope and timing of the next version, Firefox 2.0.0.6, just started this week.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments