Security Exploit Uses Internet Explorer to Attack Mozilla Firefox
Wednesday July 11th, 2007
Firefox_User sent us a link to a CNET News.com article about a security threat to Windows users with both Mozilla Firefox and Microsoft Internet Explorer installed. The issue can allow an attacker to remotely trick Firefox into executing potentially malicious code. However, a user has to be running Internet Explorer to actually get exploited.
There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, while Secunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. News.com quotes Oliver Friedrichs of Symantec's Security Response Center, who says, "It's a little bit of both."
On the official Mozilla Security Blog, the Mozilla Corporation's Window Synder (who used to work for Microsoft) says that a fix will be included in the forthcoming Firefox 22.214.171.124. That said, she seems to suggest that she considers this to be mostly a problem with IE, noting that Apple fixed a similar issue with Safari recently. However, according to the ZDNet Zero Day security weblog, Microsoft claims the firefoxurl:// bug "is not a vulnerability in a Microsoft product".
Thanks to roseman for some of the links used in this report.
#6 more article links on same "FF.vs.MSIE" subject
Wednesday July 11th, 2007 10:40 AM
You are replying to this message
if you wanna see some more discussion on same topic:
The Register: <http://www.theregister.co…07/07/11/ie_firefox_vuln/>
again, these are just more article links to the "discussion" of this issue.
i kinda like the register's toungue-in-cheek writing style. "...The saying about success having many parents but failure being an orphan seems fitting here.." :)