Welcome to the new ZDNet! Give feedback or learn more about our updated design here. Or, return to the classic view.

Mozilla patches Firefox; tells users to avoid IE

Mozilla has rolled out Firefox 2.0.0.5 with patches for a total of 9 nine vulnerabilities, including cover for the controversial IE-to-Firefox code execution attack vector.

Mozilla patches Firefox; tells users to avoid IE
Mozilla has rolled out Firefox 2.0.0.5 with patches for a total of 9 nine vulnerabilities, including cover for the controversial IE-to-Firefox code execution attack vector.

Even after plugging the hole, Mozilla inserted a blunt message into its alert:

This patch does not fix the vulnerability in Internet Explorer.

The open-source group is also urging Web surfers to use Firefox to browse the web "to prevent attackers from exploiting this problem in Internet Explorer."

[ SEE: Microsoft should block that IE-to-Firefox attack vector ]

Mozilla's stance that there's a critical flaw in Microsoft's IE that puts Windows users at risk is also shared by Thor Larholm, one of the hackers who found/disclosed the bug.

The latest from Larholm spells out the risk scenario:

I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few...

I can categorically deny that this flaw has been fixed in Internet Explorer. Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then.

[IMAGES: How to run Internet Explorer securely ]

Mozilla said two of its products -- Firefox and Thunderbird -- are among the Windows apps can be launched via clicking on a malicious link in IE and because they both support a "-chrome" option, the link could be used to launch malware.

Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data.

[SEE: Ex-Microsoft security strategist weighs in on IE-to-Firefox flaw debate ]

A trio of researchers tracking this issue have published proof-of-concept demos to show how IM clients like Trillian and AOL's AIM can be launched because of the problem with cross-application scripting and URI exploitation.

The researchers used IE in the examples but they are warning that this is much more than an Internet Explorer issue.

Registered URIs are a remote gateway to applications on YOUR system.... This is just the tip of the iceberg, other (MANY OTHER) URIs are vulnerable..... You don't want us to POST them all...Unregister ALL Unnecessary URIs.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All