 | By Chris Mosby Here’s something I thought I’d never see — installing Firefox actually makes Internet Explorer even more insecure. Depending upon whom you talk to, it’s either IE or Firefox that has the real problem. |
Both browsers together cause unique flaw
Security researcher Thor Larholm, as well as researchers at xs-sniper, recently alerted the world to a problem with the way IE handles Universal Resource Identifiers (URIs). The IE problem can be used to force Firefox to be a platform for a “cross-browser scripting attack.” In plain English, this would allow a hacker to run JavaScript applications on a PC with the full rights of the computer’s user.
How is this possible? It’s a point of contention, with some people claiming it’s a flaw with Firefox while others point the finger squarely at IE.
In my opinion, both browsers are at fault here. Installing Firefox registers a URL handler called “FirefoxURL.” However, the installer doesn’t use Dynamic Data Exchange (an old form of Windows internal messaging) to do this, since Windows Vista no longer supports DDE.
Registering the handler properly would have eliminated a type of attack known as command-line argument injection, according to Thor Larholm. Despite Firefox’s registration procedure, IE should in any case be able to safely launch external applications. But by default, it doesn’t, as demonstrated by the fact that Thor found a similar flaw in IE on Windows systems that have Apple’s new Safari for Windows installed (which uses yet another registration method).
Related posts:
