Firefox Flaw, An Internet Explorer Issue
Mozilla's Firefox 220.127.116.11 has a flaw in its latest version that could enable hackers to arbitrarily commandeer and gain control of a user's PC, alleges security researchers.
According to the claim of at least one researcher, the vulnerability takes place when the same computer runs Microsoft's Internet Explorer. In any case, Mozilla at present is trying to find a fix to repair the flaw.
Window Snyder, chief security officer of Mozilla told Internetnews on July 10, 2007 that the company knows about the existence of the problem and that its people are developing a patch. He said Mozilla was committed to protect its users online, so they could experience safe browsing.
Snyder did not articulate the time of release of the patch. The flaw that security vendor Secunia labeled "highly critical" relates to the "firefoxurl://" uniform resource identifier (URI) handler. This component helps Firefox to communicate with different Web resources. Security researchers working independently claim that the URI is exposed to malicious code that could turn out risky for users.
In an advisory, Billy (BK) Rios, Nate Mcfeters and Raghav "the Pope" Dube explained that on installing Firefox 2, the browser adds the 'firefoxurl' URI in the Windows registry.
The flaw is due to Internet Explorer, told independent security researcher Thor Larholm to Internetnews on July 10, 2007. Although Firefox is the present medium of attack, Internet Explorer is to blame for not steering clear of characters while passing them in line with the command order. If Firefox registers its URL handler with DDE it could avoid the command order injection. However, Internet Explorer could still install external applications safely.
Researchers advise the users to avoid visiting malicious sites as well as the unknown and dubious ones and to deactivate the 'Firefox URL' URI handler.
» SPAMfighter News - 24-07-2007