Firefox 2.0.0.6 delivers more security fixes

Stephen Withers
Wednesday, 01 August 2007 03:52

Business IT - Open Source

Firefox 2.0.0.6 has been rolled out less than two weeks after its predecessor in order to squash a pair of bugs, one of which was introduced by a fix in version 2.0.0.5.

The more serious issue fixed concerns the encoding of URIs passed to external programs. The Mozilla team rated this vulnerability as 'critical'.

It is the equivalent of a vulnerability that the Mozilla team had previously attributed to Internet Explorer, in which IE could be induced to pass a specially-formed link to Firefox.

Firefox 2.0.0.5 added code to safely handle URLs passed to it that contain unescaped quotes and spaces, and now version 2.0.0.6 ensures that spaces and double quotes are percent-encoded before passing them to external programs.

The issue was raised by Jesper Johansson, formerly a senior security strategist with Microsoft, who suggested that blaming Internet Explorer for passing unescaped strings to Firefox while Firefox contained a similar failing was a case of people in glass houses throwing stones.

The second ('moderate') vulnerability addressed by Firefox 2.0.0.6 allowed privilege escalation by manipulating certain addons. That problem was introduced in version 2.0.0.5's fix for a low-impact vulnerability.