Pakistan's Leading Education Website & Teacher's Provider
Learn English langauge
For students, kids as well as professionals
fee
Home | Forum | Teacher | Student | Institution | Jobs | Admission guide | Tests | Study abroad | Notices | classified | Study partner
Find Pak classmates
Pakistani classmatesDirectory since 1947. Find Now >>

The Truth Behind the IE-Firefox Exploit

With news of a cross-browser exploit emerging this week, security researchers have been debating whether to point the finger at Microsoft and its Internet Explorer browser or Mozilla and the Firefox browser. Secunia CTO Thomas Kristensen is now saying that researcher Thor Larholm is incorrect in his assessment that Firefox is not to blame.

Before the sun set on Microsoft's Patch Tuesday this month, security firm Secunia discovered a vulnerability in Firefox that malicious hackers could exploit to compromise a user's system. Here's the catch: Exploiting the bug depends on interaction between Mozilla's browser and Microsoft's Internet Explorer.

While security researchers did plenty of finger-pointing earlier in the week -- with some saying Microsoft is to blame and others holding Mozilla responsible -- the issue has yet to be resolved.

Secunia said the Firefox flaw should be ranked alongside Microsoft's July patches in terms of priority. Why the urgency? The Firefox flaw represents an active zero-day exploit, according to Paul Zimski, senior director of market strategy for PatchLink, a provider of vulnerability-management solutions. The good news, he said, is that the risk is limited to those who have Firefox 2.0.0.2 or later installed.

Anatomy of Cross-Browser Bug

The root of the matter is a Firefox uniform resource identifier (URI) that allows Web sites to force Firefox to launch with the "firefoxurl://" URI, Secunia reported. The way in which the URI handler is registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when the "firefoxurl://" URI is activated.

Due to the implementation of the "chrome" parameter, it is possible to inject code that would be executed within Firefox, said Thomas Kristensen, CTO of Secunia.

"Running JavaScript in 'chrome' context within Firefox is essentially the same as executing arbitrary code and allows an attacker to take any actions on the local system with the same privileges as the active user," Kristensen explained. "Registering a URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application."

Improper use of URl handlers and parameters supplied via URls has historically caused problems for many vendors, including Microsoft, Apple, Mozilla, certain Linux projects, and Opera. But the blame in this case falls squarely on the shoulders of Firefox, Kristensen insisted. Mozilla has publicly announced it is working on a fix. Read full article at NewsFactor.com

spacer
Post your Comments about this News
Your name
Your Email
City &Country(i.e. Karachi, Pakistan)
Type your Comments here:
Tech News:Updated: February 2008
arrow Who cut Muslim World Internet Cables?
arrow Caution, big brother is watching
arrow Malicious programs hit new high
arrow Cleaner desktop fever hassles
arrow IMAP goes Gmail!
arrow Future laptops could run more than one OS
arrow '.asia' launched as Internet domain
arrow When the net is watching you
arrow Violence and video games
arrow Net terror sites 'easy to access'
arrow Is stealing wireless wrong?
arrow Mobile malware significant threat
arrow Can Linux Overtake Windows in OS War?
arrow How Microsoft puts your data at risk
arrow Web Users Reading More Than E-Mailing
arrow New Security Holes for PC Users
arrow Protecting Your Kids online
arrow Why do humans walk on two legs?
arrow Domain Names: New Real Estate

More Web & Tech News>>

Join our "Yahoo Group" for News alerts, Jobs & lots more
Feedback |  Contact |  Site contents copyright 2000 to 2013 Interface, Pakistan's Leading Education Website & Teacher's Provider