The Truth Behind the IE-Firefox ExploitWith news of a cross-browser exploit emerging this week, security researchers have been debating whether to point the finger at Microsoft and its Internet Explorer browser or Mozilla and the Firefox browser. Secunia CTO Thomas Kristensen is now saying that researcher Thor Larholm is incorrect in his assessment that Firefox is not to blame.
Before the sun set on Microsoft's Patch Tuesday this month, security firm Secunia discovered a vulnerability in Firefox that malicious hackers could exploit to compromise a user's system. Here's the catch: Exploiting the bug depends on interaction between Mozilla's browser and Microsoft's Internet Explorer.
While security researchers did plenty of finger-pointing earlier in the week -- with some saying Microsoft is to blame and others holding Mozilla responsible -- the issue has yet to be resolved.
Secunia said the Firefox flaw should be ranked alongside Microsoft's July patches in terms of priority. Why the urgency? The Firefox flaw represents an active zero-day exploit, according to Paul Zimski, senior director of market strategy for PatchLink, a provider of vulnerability-management solutions. The good news, he said, is that the risk is limited to those who have Firefox 18.104.22.168 or later installed.
Anatomy of Cross-Browser Bug
The root of the matter is a Firefox uniform resource identifier (URI) that allows Web sites to force Firefox to launch with the "firefoxurl://" URI, Secunia reported. The way in which the URI handler is registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when the "firefoxurl://" URI is activated.
Due to the implementation of the "chrome" parameter, it is possible to inject code that would be executed within Firefox, said Thomas Kristensen, CTO of Secunia.
Improper use of URl handlers and parameters supplied via URls has
historically caused problems for many vendors, including Microsoft, Apple,
Mozilla, certain Linux projects, and Opera. But the blame in this case falls
squarely on the shoulders of Firefox, Kristensen insisted. Mozilla has publicly
announced it is working on a fix.
Post your Feedback about information available on this page.