A vulnerability in Firefox can be exploited by presenting Internet Explorer with a particular type of malicious link.
Reported by Secunia, the issue revolves around the firefoxurl:// URI handler that instructs the system to open the specified URL in Firefox. This handler is added to the system alongside Firefox.
Unfortunately, Firefox does not check the sanity of the link it is passed, and it will execute JavaScript. Internet Explorer doesn't check a link before it is passed to a handler, so this has the potential to allow remote system access.
So who is at fault? Opinions vary. Some blame Microsoft for failing to escape any quotes before passing the string to the handler, others argue that Firefox should validate the string it receives. Those who favour a belt and braces approach point the finger at both companies.
A precedent has been set by Apple, which took it upon itself to fix a similar issue involving Safari and Firefox.
We feel there's a parallel with antivirus software: you run AV not just to protect against incoming infected files, but also to reduce the risk of sending an infected file to someone else. Similarly, the primary responsibility to check a link (or any other data) must rest with the receiving program, but the sender should be a good citizen and test for any well-known tricks. This is especially true where the sending program didn't generate the data but is merely forwarding it from another source.
Firefox itself is not vulnerable to a direct attack using firefoxurl:// links.
Mozilla has announced that Firefox 2.0.0.5 (scheduled for release on July 19) will check for potentially malicious data, but warns that "Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time."
ITWIRE SERIES - CIO SUMMIT GOLD COAST
For CIOs & Senior IT Management Summit on the Gold Coast!
This event has been personally vetted by the iTWire CEO who has attended four of these conferences in the past and is an event you cannot afford to miss!
We can guarantee that this conference is of great value.
Network with fellow CIOs and IT Mgrs and hear Glenn Archer CIO, Australian Government Information Management Office (AGIMO), Matt Barrie, Award-winning Entrepreneur to provide insights on Navigating Your Entrepreneurial Initiatives in a Hyper-connected New World, Stephen Tame, CIO & Head of Group Information Technology, Jetstar, Tim Thurman, CIO, Australian Securities Exchange (ASX).
Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences, a PhD in Industrial and Business Studies, and is a senior member of the Australian Computer Society.
DAMsmart, Australia’s leading specialist audiovisual digitisation, management and access solution provider has recently completed the commissioning of Thoroughbred…
