Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Firefox Flaw, An Internet Explorer Issue

Mozilla's Firefox has a flaw in its latest version that could enable hackers to arbitrarily commandeer and gain control of a user's PC, alleges security researchers.

According to the claim of at least one researcher, the vulnerability takes place when the same computer runs Microsoft's Internet Explorer. In any case, Mozilla at present is trying to find a fix to repair the flaw.

Window Snyder, chief security officer of Mozilla told Internetnews on July 10, 2007 that the company knows about the existence of the problem and that its people are developing a patch. He said Mozilla was committed to protect its users online, so they could experience safe browsing.

Snyder did not articulate the time of release of the patch. The flaw that security vendor Secunia labeled "highly critical" relates to the "firefoxurl://" uniform resource identifier (URI) handler. This component helps Firefox to communicate with different Web resources. Security researchers working independently claim that the URI is exposed to malicious code that could turn out risky for users.

In an advisory, Billy (BK) Rios, Nate Mcfeters and Raghav "the Pope" Dube explained that on installing Firefox 2, the browser adds the 'firefoxurl' URI in the Windows registry.

With the help of this, applications delivering HTML like Internet Explorer could spawn Firefox. But when parameters of the firefoxurl transmit without any intermediaries to the firefox.exe as options devoid of validation, the danger arises. The advisory further said that with the application of the firefoxurl URL, Internet Explorer browser or similar Windows-based browsers could install Firefox and then JavaScript Code instantly.

The flaw is due to Internet Explorer, told independent security researcher Thor Larholm to Internetnews on July 10, 2007. Although Firefox is the present medium of attack, Internet Explorer is to blame for not steering clear of characters while passing them in line with the command order. If Firefox registers its URL handler with DDE it could avoid the command order injection. However, Internet Explorer could still install external applications safely.

Researchers advise the users to avoid visiting malicious sites as well as the unknown and dubious ones and to deactivate the 'Firefox URL' URI handler.

Related article: Firefox Gets Vulnerable With JavaScript

» SPAMfighter News - 7/24/2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page