The Mozilla Foundation released on Monday a fix for two security issues, patching a problem in the way its Firefox browser processes links that call external programs to handle data.
The issue came to light last week, the destination in a circuitous trip of discovery. In early July, three researchers found a way to execute code in Firefox -- and potentially other Windows programs -- by passing the browser a malicious uniform resource identifier (URI) from Internet Explorer. The discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued that IE should validate the URI before passing it along to another program, while Microsoft stated that input validation is the responsibility of the receiving program.
Mozilla initially protected the Firefox browser from URIs passed through Internet Explorer. However, a security researcher pointed out last week that Firefox passed malicious URIs in the same way as Internet Explorer. Monday's patch fixed the issue.
"The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs," Mozilla's chief security officer Window Snyder said in a post to the Mozilla Security Blog. "This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior."
The spat is the latest in the rivalry between Microsoft and the Mozilla Foundation. The organizations have both focused on security in their latest browsers. In Internet Explorer 7, Microsoft added anti-phishing features, the ability to run in protected mode on its latest operating system, Windows Vista, and severely culled problematic ActiveX controls. In Firefox 2.0, the Mozilla Foundation also added anti-phishing features and the ability to clear private data.
Users of Mozilla's Firefox can download the patch via the "Check for Updates..." option in the browser's help menu.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos