Technology news and Jobs 
Information Technology News Internet Explorer used to trigger Firefox exploit
Information Technology News Internet Explorer used to trigger Firefox exploit | Internet Explorer used to trigger Firefox exploit |
|
| by Stephen Withers | |
| Thursday, 12 July 2007 | |
  
Featured Whitepaper
5 Best Practices for Smartphone Support
Unfortunately, Firefox does not check the sanity of the link it is passed, and it will execute JavaScript. Internet Explorer doesn't check a link before it is passed to a handler, so this has the potential to allow remote system access. So who is at fault? Opinions vary. Some blame Microsoft for failing to escape any quotes before passing the string to the handler, others argue that Firefox should validate the string it receives. Those who favour a belt and braces approach point the finger at both companies. A precedent has been set by Apple, which took it upon itself to fix a similar issue involving Safari and Firefox. We feel there's a parallel with antivirus software: you run AV not just to protect against incoming infected files, but also to reduce the risk of sending an infected file to someone else. Similarly, the primary responsibility to check a link (or any other data) must rest with the receiving program, but the sender should be a good citizen and test for any well-known tricks. This is especially true where the sending program didn't generate the data but is merely forwarding it from another source. Firefox itself is not vulnerable to a direct attack using firefoxurl:// links. Mozilla has announced that Firefox 2.0.0.5 (scheduled for release on July 19) will check for potentially malicious data, but warns that "Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time."
|
Tags
| < Next story in category | Previous story in the category > |
|---|
