FireFox 2.0.0.6: Mozilla fixes the IE security hole that wasn’t

by Bharat Suneja

You’ve probably heard about the FireFox patch that fixed a vulnerability caused by IE? Here’s more.

July 10: Mozilla’s head of Security Strategy Window Snyder writes: “Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.

Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.”

July 18th: Mozilla claims it has fixed the vulnerability in 2.0.0.5, which wasn’t really it’s own. Window Snyder writes on her blog – “This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to.”

She adds: “Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer”.

Turns out 2.0.0.5 didn’t really fix the vulnerability in FireFox!

Microsoft’s Jesper Johansson responds in his blog post titled “Hey, Mozilla: Quotes Are Not Legal in a URL“. Jesper cites RFC 3986, an internet standard that defines how URLs should be formatted.

July 30: Mozilla releases another update – FireFox 2.0.0.6. Here’s more on what’s fixed: “Mozilla Foundation Security Advisory 2007-27“. (You probably see where we’re going with this…. :)

From Window Snyder yesterday (7/30): “We’ve just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior.”

After crying out loud “It’s really Microsoft’s fault… “, Mozilla and Snyder didn’t really make as much noise about this new patch.

Disclaimer: Given that this is the second post in a row about FireFox, it should be no surprise that I continue to use FireFox as my preferred browser, in addition to Internet Explorer and (gulp!) Safari!

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: