Mozilla patches Firefox and IE flaw but no Microsoft fix

Stan Beer
Thursday, 19 July 2007 06:17

Your IT - Home IT

The not profit Mozilla Foundation, which administers the open source Firefox web browser has patched a critical hole that could enable Microsoft's Internet Explorer to infect users' computers with malware by launching a Firefox session from a malicious website. However, Microsoft has yet to issue a fix for the bug which still exposes IE users to malware if they visit a bad website.

According to Mozilla Foundation Security Advisory 2007-23 , "the vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a "-chrome" option that could be used to run malware."

In a newly issued Firefox update, version 2.0.0.5, which can be downloaded now, there is a fix that prevents Firefox and Thunderbird from accepting bad data. However, the atch doesn't fix the hole in Internet Explorer, which can still call other Windows applications, which in turn can be manipulated to execute malicious code.

So what's the solution, according to Mozilla? No prizes for guessing: only browse the web with Firefox.

The latest security blowup can only add to Microsoft's woes in the browser space. Recent reports show that the take-up of Internet Explorer 7 has been slow and all versions of the once dominant IE are losing market share to Firefox pretty much everywhere, but especially in Europe where Firefox now has about one third of the market.