Mozilla Issues Fixes For Two Firefox Bugs - InformationWeek
IoT
IoT
Software // Information Management
News
7/31/2007
01:07 PM
50%
50%
RELATED EVENTS
The Real Impact of a Data Security Breach
Aug 02, 2017
In this webcast, experts discuss the real losses associated with a breach, both in the data center ...Read More>>

Mozilla Issues Fixes For Two Firefox Bugs

Mozilla releases Firefox version 2.0.0.6 right before it's expected to announce new security tools at this week's BlackHat security conference.

Still battling vulnerabilities that could allow the Firefox browser to pass dangerous data to third-party applications like Microsoft's Internet Explorer, Mozilla this week released Firefox 2.0.0.6 to fix the problem.

In mid-July, Mozilla released Firefox 2.0.0.5 with patches for several vulnerabilities, including the "highly critical" security bug that has been plaguing both Firefox and Microsoft's Internet Explorer. On Monday, the open-source group shipped workarounds and patches for two related bugs.

The fixes come right before the opening of the BlackHat security conference in Las Vegas this week. Mozilla is expected to release additional security tools there.

One fix -- MFSA 2007-27 -- takes care of an issue where Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling. Mozilla tipped its hat to Jesper Johansson, a researcher the group credits with discovering the problem. The flaw, Mozilla noted in the advisory, means receiving programs can mistakenly interpret a single URI as multiple arguments, and with version 2.0.0.4 and older of Firefox and Thunderbird, it could be used to run arbitrary code.

"A similar issue with URIs passed to external handlers was reported by Billy Rios and Nate McFeters," noted the Mozilla advisory. "When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 do not launch the protocol handler registered for that scheme, but instead launch a file handling program based on the file extension at the end of the URI. Coupled with the issue reported by Jesper Johansson, this appears to allow execution of any program installed at a known location and limited argument passing that might be enough to exploit a system."

The second, and smaller, fix -- MFSA 2007-26 -- corrects a bug that was introduced by the fix for MFSA 2007-20. The vulnerability could enable privilege escalation attacks against add-ons that create "about:blank" windows. A Mozilla researcher, called moz_bug_r_a4, is credited with reporting this bug.

After days of fervent online debate, Mozilla admitted about a week ago that Firefox was as much to blame as IE for the problem that caused dangerous data to be passed to third-party applications.

When the issue first came to light earlier this month, security researcher Thor Larholm called the problem an input validation flaw. He explained in a blog post that when Firefox is installed on a system, it registers a URL protocol handler. When IE encounters a reference to content inside the FirefoxURL URL scheme, it calls ShellExecute with the EXE image path and passes the entire request URL without any input validation.

That means if someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL. Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll