Security Exploit Uses Internet Explorer to Attack Mozilla Firefox
Wednesday July 11th, 2007
Firefox_User sent us a link to a CNET News.com article about a security threat to Windows users with both Mozilla Firefox and Microsoft Internet Explorer installed. The issue can allow an attacker to remotely trick Firefox into executing potentially malicious code. However, a user has to be running Internet Explorer to actually get exploited.
There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, while Secunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. News.com quotes Oliver Friedrichs of Symantec's Security Response Center, who says, "It's a little bit of both."
On the official Mozilla Security Blog, the Mozilla Corporation's Window Synder (who used to work for Microsoft) says that a fix will be included in the forthcoming Firefox 126.96.36.199. That said, she seems to suggest that she considers this to be mostly a problem with IE, noting that Apple fixed a similar issue with Safari recently. However, according to the ZDNet Zero Day security weblog, Microsoft claims the firefoxurl:// bug "is not a vulnerability in a Microsoft product".
Thanks to roseman for some of the links used in this report.
#5 Does Firefoxurl actually work properly for anyone?
Wednesday July 11th, 2007 8:51 AM
You are replying to this message
Never heard of this firefoxurl before, so Ithouoght I'd give it a try.
So I tried browsing to a few web pages in IE, replaced the "http" with "firefoxurl" and whilst it appears to get passed to Firefox I then get a dialog from Firefox saying:
External Protocol Request An external application must be launched to handle firefoxurl: links. Requested link: firefoxurl://news.bbc.co.uk Application Firefox ...blah blah security stuff...
If I click Launch Application, I then get a new blank tab in my current firefox window, and the dialog reappears, and so on in a loop every time I click the Launch Application.
(Firefox 188.8.131.52, Win XP SP2, IE7)