 | By Chris Mosby In my July 12 column, I discussed a flaw in IE that was exposed by installing Firefox. Now the tables have turned and the opposite is true with the latest releases of Firefox and IE 7. |
URI flaw has new exploit method
I discussed on July 12 a problem with the way that Firefox registers certain URI handlers with the operating system. If exploited, these handlers could call IE to launch Firefox, using JavaScript-based attacks that can compromise a user’s system.
This flaw was fixed in a new version of Firefox known as 2.0.0.5. The exploit, however, is reportedly still possible with other browsers, such as Safari for Windows, according to security researcher Thor Larholm.
Since then, the Web has seen a constant flow of arguments over who was at fault for this flaw. “Mozilla,” says former Microsoft security strategist Jesper Johansson, “Microsoft,” says Mozilla developer Window Snyder.
The most recent new flaw is very similar to the previous one — except this time, the presence of IE 7 on a system that also has the latest version of Firefox allows Firefox to be exploited. Also, instead of an infected URL being passed from IE to Firefox, this exploit works entirely within Firefox itself.
A Windows flaw makes Firefox vulnerable
The new flaw is caused by an input validation error that’s introduced by the installation of IE 7. It involves the browser’s handling of URI handlers such as "mailto," "news," "nntp,", etc.
Related posts:
