Mozilla Corp. has issued a patch yesterday to fix a pair of flaws in its Firefox web browser. One flaw is a persistent one, which plagued both Firefox and Microsoft's Internet Explorer.
It concerns the way in which the browsers handle malformed URLs that have the potential to start off other applications.
Earlier in July Mozilla had repaired this flaw saying that the rest of it was up to IE and that the Firefox patch would not work on IE. However with there appearing to be no fix in Firefox itself, Mozilla was forced to issue another patch.
Firefox 184.108.40.206 also patches another flaw, which could have passed on malicious data from Firefox to other applications. "This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior," Mozilla head of security Window Snyder said in a blog post.
The URL handling flaw has been around for three weeks and Danish researcher Thor Larholm who spotted it first blamed IE for the flaw. Initially even Mozilla blamed IE, but later acknowledged that Firefox was just as guilty. "We thought this was just a problem with IE," Snyder said. "It turns out; it is a problem with Firefox as well."
However if an advisory post by US-CERT is to be believed, then it is not IE or Firefox, but the Windows OS that is to be blamed. The advisory said that Windows "fails to properly handle protocols specified in a URI, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system."
The Firefox update can be downloaded from the Mozilla site. Users are advised to keep their browsers updated in order to avoid malicious attacks.
Last Mod: 01 Ağustos 2007, 19:18