Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to del.icio.us  
Mozilla confirms own URL handling bug
Published: 2007-07-24

The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker.

In early July, three researchers found a way to execute code in Firefox -- and potentially other Windows programs -- by passing it a malicious uniform resource identifier (URI) from Internet Explorer. The discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued that IE should validate the URI before passing it along to another program, while Microsoft stated that input validation is the responsibility of the receiving program.

Over the weekend, another researcher discovered that Mozilla Firefox has the same security issue. The Mozilla Foundation acknowledged the problem on Monday.

"We thought this was just a problem with IE," Mozilla's chief security officer Window Snyder said in a blog post. "It turns out, it is a problem with Firefox as well."

In the latest versions of their products, Microsoft and the Mozilla Foundation have focused on security. In Internet Explorer 7, Microsoft added anti-phishing features, the ability to run in protected mode on its latest operating system, Windows Vista, and severely culled problematic ActiveX controls. In Firefox 2.0, the Mozilla Foundation also added anti-phishing features and the ability to clear private data.

Mozilla is now looking into the issue to determine its response to the problem.

A nod to ZDNet's Zero Day blog.

If you have tips or insights on this topic, please contact SecurityFocus.



Posted by: Robert Lemos
    Digg this story   Add to del.icio.us  
 
Comments Mode:







 

Privacy Statement
Copyright 2009, SecurityFocus