Mozilla released Firefox 188.8.131.52 with patches for several vulnerabilities, including the "highly critical" security bug that has been plaguing both Firefox and Microsoft's Internet Explorer.
Security researcher Thor Larholm called the problem an input validation flaw. He explained in a blog post that when Firefox is installed on a system, it registers a URL protocol handler. When IE encounters a reference to content inside the FirefoxURL URL scheme, it calls ShellExecute with the EXE image path and passes the entire request URL without any input validation.
Despite the online debate that has been swirling over whether the flaw resides in Microsoft's IE or Mozilla's open source browser, Window Snyder, Mozilla's "chief security something-or-other," said in a blog post that Mozilla would take care of the issue. A Mozilla advisory released Tuesday pointed out that the patch would not fix the vulnerability in Internet Explorer.
"The vulnerability is exposed when a user browses to a malicious Web page in Internet Explorer and clicks on a specially crafted link," noted Advisory 2007-23. "That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious Web page without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a '-chrome' option that could be used to run malware.
"Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data," the advisory added.
Firefox 184.108.40.206, according to an advisory, also patches a flaw that crashes the browser with evidence of memory corruption, along with another flaw that enables unauthorized access to wyciwyg:// documents. Also being patched is a bug that causes privilege escalation and another that causes file type confusion.