Firefox Flaw, An Internet Explorer IssueMozilla's Firefox 2.0.0.4 has a flaw in its latest version that could enable hackers to arbitrarily commandeer and gain control of a user's PC, alleges security researchers. According to the claim of at least one researcher, the vulnerability takes place when the same computer runs Microsoft's Internet Explorer. In any case, Mozilla at present is trying to find a fix to repair the flaw. Window Snyder, chief security officer of Mozilla told Internetnews on July 10, 2007 that the company knows about the existence of the problem and that its people are developing a patch. He said Mozilla was committed to protect its users online, so they could experience safe browsing. Snyder did not articulate the time of release of the patch. The flaw that security vendor Secunia labeled "highly critical" relates to the "firefoxurl://" uniform resource identifier (URI) handler. This component helps Firefox to communicate with different Web resources. Security researchers working independently claim that the URI is exposed to malicious code that could turn out risky for users. In an advisory, Billy (BK) Rios, Nate Mcfeters and Raghav "the Pope" Dube explained that on installing Firefox 2, the browser adds the 'firefoxurl' URI in the Windows registry. With the help of this, applications delivering HTML like Internet Explorer could spawn Firefox. But when parameters of the firefoxurl transmit without any intermediaries to the firefox.exe as options devoid of validation, the danger arises. The advisory further said that with the application of the firefoxurl URL, Internet Explorer browser or similar Windows-based browsers could install Firefox and then JavaScript Code instantly. The flaw is due to Internet Explorer, told independent security researcher Thor Larholm to Internetnews on July 10, 2007. Although Firefox is the present medium of attack, Internet Explorer is to blame for not steering clear of characters while passing them in line with the command order. If Firefox registers its URL handler with DDE it could avoid the command order injection. However, Internet Explorer could still install external applications safely. Researchers advise the users to avoid visiting malicious sites as well as the unknown and dubious ones and to deactivate the 'Firefox URL' URI handler. Related article: Firefox Gets Vulnerable With JavaScript » SPAMfighter News - 7/24/2007 |    |
Dear Reader
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!
 |  |
