The Truth Behind the IE-Firefox Exploit
With news of a cross-browser exploit emerging this
week, security researchers have been debating whether to point the finger at
Microsoft and its Internet Explorer browser or Mozilla and the Firefox browser.
Secunia CTO Thomas Kristensen is now saying that researcher Thor Larholm is
incorrect in his assessment that Firefox is not to blame.
Before the sun set on Microsoft's Patch Tuesday this month,
security firm Secunia discovered a vulnerability in Firefox that malicious
hackers could exploit to compromise a user's system. Here's the catch:
Exploiting the bug depends on interaction between Mozilla's browser and
Microsoft's Internet Explorer.
While security researchers did plenty of finger-pointing earlier in the week
-- with some saying Microsoft is to blame and others holding Mozilla responsible
-- the issue has yet to be resolved.
Secunia said the Firefox flaw should be ranked alongside Microsoft's July
patches in terms of priority. Why the urgency? The Firefox flaw represents an
active zero-day exploit, according to Paul Zimski, senior director of market
strategy for PatchLink, a provider of vulnerability-management solutions. The
good news, he said, is that the risk is limited to those who have Firefox
220.127.116.11 or later installed.
Anatomy of Cross-Browser Bug
The root of the matter is a Firefox uniform resource identifier (URI) that
allows Web sites to force Firefox to launch with the "firefoxurl://" URI,
Secunia reported. The way in which the URI handler is registered by Firefox
causes any parameter to be passed from IE (or another application) to Firefox
when the "firefoxurl://" URI is activated.
Due to the implementation of the "chrome" parameter, it is possible to inject
code that would be executed within Firefox, said Thomas Kristensen, CTO of
same as executing arbitrary code and allows an attacker to take any actions on
the local system with the same privileges as the active user," Kristensen
explained. "Registering a URI handler must be done with care, since Windows does
not have any proper way of knowing what kind of input potentially could be
dangerous for an application."
Improper use of URl handlers and parameters supplied via URls has
historically caused problems for many vendors, including Microsoft, Apple,
Mozilla, certain Linux projects, and Opera. But the blame in this case falls
squarely on the shoulders of Firefox, Kristensen insisted. Mozilla has publicly
announced it is working on a fix.
Read full article at NewsFactor.com