Software // Information Management
News
7/31/2007
01:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Mozilla Issues Fixes For Two Firefox Bugs

Mozilla releases Firefox version 2.0.0.6 right before it's expected to announce new security tools at this week's BlackHat security conference.

Still battling vulnerabilities that could allow the Firefox browser to pass dangerous data to third-party applications like Microsoft's Internet Explorer, Mozilla this week released Firefox 2.0.0.6 to fix the problem.

In mid-July, Mozilla released Firefox 2.0.0.5 with patches for several vulnerabilities, including the "highly critical" security bug that has been plaguing both Firefox and Microsoft's Internet Explorer. On Monday, the open-source group shipped workarounds and patches for two related bugs.

The fixes come right before the opening of the BlackHat security conference in Las Vegas this week. Mozilla is expected to release additional security tools there.

One fix -- MFSA 2007-27 -- takes care of an issue where Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling. Mozilla tipped its hat to Jesper Johansson, a researcher the group credits with discovering the problem. The flaw, Mozilla noted in the advisory, means receiving programs can mistakenly interpret a single URI as multiple arguments, and with version 2.0.0.4 and older of Firefox and Thunderbird, it could be used to run arbitrary code.

"A similar issue with URIs passed to external handlers was reported by Billy Rios and Nate McFeters," noted the Mozilla advisory. "When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 do not launch the protocol handler registered for that scheme, but instead launch a file handling program based on the file extension at the end of the URI. Coupled with the issue reported by Jesper Johansson, this appears to allow execution of any program installed at a known location and limited argument passing that might be enough to exploit a system."

The second, and smaller, fix -- MFSA 2007-26 -- corrects a bug that was introduced by the fix for MFSA 2007-20. The vulnerability could enable privilege escalation attacks against add-ons that create "about:blank" windows. A Mozilla researcher, called moz_bug_r_a4, is credited with reporting this bug.

After days of fervent online debate, Mozilla admitted about a week ago that Firefox was as much to blame as IE for the problem that caused dangerous data to be passed to third-party applications.

When the issue first came to light earlier this month, security researcher Thor Larholm called the problem an input validation flaw. He explained in a blog post that when Firefox is installed on a system, it registers a URL protocol handler. When IE encounters a reference to content inside the FirefoxURL URL scheme, it calls ShellExecute with the EXE image path and passes the entire request URL without any input validation.

That means if someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL. Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.