Mozilla patches Firefox URI flaw

A flaw has been patched in Mozilla Firefox that could have allowed users' computers to be compromised by visiting websites infected with malware.

The flaw lay in the way Firefox version 2.0.0.5 handled uniform resource identifiers (URIs), protocols that allow browsers to access software. Firefox failed to properly handle some URIs, a flaw in the web browser that could have allowed remote malware execution.

Bugzilla@Mozilla posted the bug as "resolved fixed" on Wednesday. A link to the patch is available through the bug post.

Netscape Navigator 9 was also affected by the flaw, said Billy Rios, the security researcher who discovered the flaw.

Rios called for developers to pay more attention to possible URI-handling vulnerabilities in their code, after a spate of browser difficulties involving URIs in Internet Explorer and Firefox.

According to Rios, developers must be aware that applications installing URI handlers on a PC can give an extra attack vector, because an attacker can then embed a link to the application in a web page.

"Developers who intend to or have already registered URIs for their applications must understand that registering a URI handler exponentially increases the attack surface for that application," said Rios in his blog. "Please review your registered URI-handling mechanisms and audit the functionality called by those URIs."