Mozilla patches Firefox; tells users to avoid IE

Summary:Mozilla has rolled out Firefox 2.0.0.5 with patches for a total of 9 nine vulnerabilities, including cover for the controversial IE-to-Firefox code execution attack vector.

Mozilla patches Firefox; tells users to avoid IE
Mozilla has rolled out Firefox 2.0.0.5 with patches for a total of 9 nine vulnerabilities, including cover for the controversial IE-to-Firefox code execution attack vector.

Even after plugging the hole, Mozilla inserted a blunt message into its alert:

This patch does not fix the vulnerability in Internet Explorer.

The open-source group is also urging Web surfers to use Firefox to browse the web "to prevent attackers from exploiting this problem in Internet Explorer."

[ SEE: Microsoft should block that IE-to-Firefox attack vector ]

Mozilla's stance that there's a critical flaw in Microsoft's IE that puts Windows users at risk is also shared by Thor Larholm, one of the hackers who found/disclosed the bug.

The latest from Larholm spells out the risk scenario:

I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few...

I can categorically deny that this flaw has been fixed in Internet Explorer. Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then.

[IMAGES: How to run Internet Explorer securely ]

Mozilla said two of its products -- Firefox and Thunderbird -- are among the Windows apps can be launched via clicking on a malicious link in IE and because they both support a "-chrome" option, the link could be used to launch malware.

Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data.

[SEE: Ex-Microsoft security strategist weighs in on IE-to-Firefox flaw debate ]

A trio of researchers tracking this issue have published proof-of-concept demos to show how IM clients like Trillian and AOL's AIM can be launched because of the problem with cross-application scripting and URI exploitation.

The researchers used IE in the examples but they are warning that this is much more than an Internet Explorer issue.

Registered URIs are a remote gateway to applications on YOUR system.... This is just the tip of the iceberg, other (MANY OTHER) URIs are vulnerable..... You don't want us to POST them all...Unregister ALL Unnecessary URIs.

Topics: Browser, Microsoft, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.