Mozilla Patches Firefox, Tackles Flaw That Affects Firefox And IE

Mozilla released Firefox 2.0.0.5 with patches for several vulnerabilities, including the "highly critical" security bug that has been plaguing both Firefox and Microsoft's Internet Explorer.

Security researcher Thor Larholm called the problem an input validation flaw. He explained in a blog post that when Firefox is installed on a system, it registers a URL protocol handler. When IE encounters a reference to content inside the FirefoxURL URL scheme, it calls ShellExecute with the EXE image path and passes the entire request URL without any input validation.

That means if someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL. Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

Despite the online debate that has been swirling over whether the flaw resides in Microsoft's IE or Mozilla's open source browser, Window Snyder, Mozilla's "chief security something-or-other," said in a blog post that Mozilla would take care of the issue. A Mozilla advisory released Tuesday pointed out that the patch would not fix the vulnerability in Internet Explorer.

"The vulnerability is exposed when a user browses to a malicious Web page in Internet Explorer and clicks on a specially crafted link," noted Advisory 2007-23. "That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious Web page without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a '-chrome' option that could be used to run malware.

"Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data," the advisory added.

Firefox 2.0.0.5, according to an advisory, also patches a flaw that crashes the browser with evidence of memory corruption, along with another flaw that enables unauthorized access to wyciwyg:// documents. Also being patched is a bug that causes privilege escalation and another that causes file type confusion.