Tech News

Mozilla patches Firefox vulnerability for a second time

By Steve Ragan Aug 1, 2007, 19:46 GMT

The vulnerability that was patched in Firefox 2.0.0.5 was never completely fixed, and as reported late last week, Mozilla was working to resolve the issue. On Monday, Mozilla did just that and released Firefox version 2.0.0.6, which fixes the issue with URI handling.

The problem started when researcher Thor Larholm released code that demonstrated the potential for exploitation in the way that Internet Explorer and Firefox interact. The problem lies in Uniform Resource Identifier (URI) handling which in Firefox can be used to launch programs other than what is expected as demonstrated with the proof-of-concept code released late last month. Microsoft and Mozilla pointed fingers and blamed the other for the problem, but once version 2.0.0.5 was released and the issue remained, it fell to Mozilla to clean up the mess. 

“We’ve just released Firefox 2.0.0.6 which contains a security patch to mitigate the [URI issue]. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior,” read the Mozilla security blog on Monday. 

Billy Rios and Nathan McFeters released the PoC code, last month, which allows specially crafted URI’s to load calc.exe and a batch file on systems with Windows XP SP2 and Internet Explorer 7. Other tested variables of the environment, such as fully patched Windows XP systems with Internet Explorer 6 were not vulnerable. Their PoC code proved that while the first patch corrected the issue Larholm discovered, it did not correct the root cause and instead merely circumvented the issues Larholm raised.

Version 2.0.0.6 corrected another security issue that revolves around privilege escalation through chrome-loaded “about:blank” windows. While rated less critical compared to the URI issue, Mozilla advises users to update immediately. The patch was pushed via the automatic update feature in Firefox and is available online now for downloading.



Further Reading on M&C

COMMENT

comments powered by Disqus

Latest Headlines on M&C

Follow Us

Follow M&C on Pinterest

Search

Custom Search

More

Latest on M&C

.