In mid-July, Mozilla released Firefox 18.104.22.168 with patches for several vulnerabilities, including the "highly critical" security bug that has been plaguing both Firefox and Microsoft's Internet Explorer. On Monday, the open-source group shipped workarounds and patches for two related bugs.
The fixes come right before the opening of the BlackHat security conference in Las Vegas this week. Mozilla is expected to release additional security tools there.
One fix -- MFSA 2007-27 -- takes care of an issue where Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling. Mozilla tipped its hat to Jesper Johansson, a researcher the group credits with discovering the problem. The flaw, Mozilla noted in the advisory, means receiving programs can mistakenly interpret a single URI as multiple arguments, and with version 22.214.171.124 and older of Firefox and Thunderbird, it could be used to run arbitrary code.
"A similar issue with URIs passed to external handlers was reported by Billy Rios and Nate McFeters," noted the Mozilla advisory. "When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 do not launch the protocol handler registered for that scheme, but instead launch a file handling program based on the file extension at the end of the URI. Coupled with the issue reported by Jesper Johansson, this appears to allow execution of any program installed at a known location and limited argument passing that might be enough to exploit a system."
The second, and smaller, fix -- MFSA 2007-26 -- corrects a bug that was introduced by the fix for MFSA 2007-20. The vulnerability could enable privilege escalation attacks against add-ons that create "about:blank" windows. A Mozilla researcher, called moz_bug_r_a4, is credited with reporting this bug.
After days of fervent online debate, Mozilla admitted about a week ago that Firefox was as much to blame as IE for the problem that caused dangerous data to be passed to third-party applications.
When the issue first came to light earlier this month, security researcher Thor Larholm called the problem an input validation flaw. He explained in a blog post that when Firefox is installed on a system, it registers a URL protocol handler. When IE encounters a reference to content inside the FirefoxURL URL scheme, it calls ShellExecute with the EXE image path and passes the entire request URL without any input validation.