Mozilla patches Web browser flaw

Mozilla has patched a flaw in its popular browser Firefox that could have allowed users' computers to be taken over by visiting Web sites infected with malware -- a popular form of attack in recent times.

The results of a recent study by Google, show that one in 10 Web sites could be potential launch pads for "drive-by-download" malware attacks.

The flaw lay in the way Firefox version 2.0.0.5 handled uniform resource identifiers (URIs), protocols that allow browsers to access software. Firefox failed to properly handle some URIs, a flaw in the Web browser that could have allowed remote malware execution.

Bugzilla@Mozilla posted the bug as "resolved fixed" on Wednesday. A link to the patch is available through the bug post.

Netscape Navigator 9 was also affected by the flaw, said Billy Rios, the security researcher who discovered the flaw.

Rios called for developers to pay more attention to possible URI-handling vulnerabilities in their code, after a spate of browser difficulties involving URIs in Internet Explorer and Firefox.

According to Rios, developers must be aware that applications installing URI handlers on a PC can give an extra attack vector, because an attacker can then embed a link to the application in a Web page.

"Developers who intend to or have already registered URIs for their applications must understand that registering a URI handler exponentially increases the attack surface for that application," said Rios in his blog. "Please review your registered URI-handling mechanisms and audit the functionality called by those URIs."

Tom Espiner reported for ZDNet UK from London