Mozilla patches Firefox; tells users to avoid IE

Mozilla patches Firefox; tells users to avoid IE

Summary: Mozilla has rolled out Firefox 2.0.0.5 with patches for a total of 9 nine vulnerabilities, including cover for the controversial IE-to-Firefox code execution attack vector.

SHARE:
87

Mozilla patches Firefox; tells users to avoid IEMozilla has rolled out Firefox 2.0.0.5 with patches for a total of 9 nine vulnerabilities, including cover for the controversial IE-to-Firefox code execution attack vector.

Even after plugging the hole, Mozilla inserted a blunt message into its alert:

This patch does not fix the vulnerability in Internet Explorer.

The open-source group is also urging Web surfers to use Firefox to browse the web "to prevent attackers from exploiting this problem in Internet Explorer."

[ SEE: Microsoft should block that IE-to-Firefox attack vector ]

Mozilla's stance that there's a critical flaw in Microsoft's IE that puts Windows users at risk is also shared by Thor Larholm, one of the hackers who found/disclosed the bug.

The latest from Larholm spells out the risk scenario:

I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few...

I can categorically deny that this flaw has been fixed in Internet Explorer. Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then.

[IMAGES: How to run Internet Explorer securely ]

Mozilla said two of its products -- Firefox and Thunderbird -- are among the Windows apps can be launched via clicking on a malicious link in IE and because they both support a "-chrome" option, the link could be used to launch malware.

Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data.

[SEE: Ex-Microsoft security strategist weighs in on IE-to-Firefox flaw debate ]

A trio of researchers tracking this issue have published proof-of-concept demos to show how IM clients like Trillian and AOL's AIM can be launched because of the problem with cross-application scripting and URI exploitation.

The researchers used IE in the examples but they are warning that this is much more than an Internet Explorer issue.

Registered URIs are a remote gateway to applications on YOUR system.... This is just the tip of the iceberg, other (MANY OTHER) URIs are vulnerable..... You don't want us to POST them all...Unregister ALL Unnecessary URIs.

Topics: Browser, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

87 comments
Log in or register to join the discussion
  • ROTFLMAO !!! What a barrel of laughs ,,,

    So Microsoft is to lazy to fix their problem . Sure it's Apple's Safari , no it's Mozilla's Firefox . Sure blame everyone , it's never Microsoft's fault . Folks what do you expect from spaghetti/swiss cheese code . Microsoft has a good track record when it comes to serious flaws , and just recently bones were discovered in Microsoft's closet . Oh the poor Microsoft Lemmings , when will you learn not to trust the Goliath (Microsoft).

    Update: Mozilla has fixed the issue but Internet Explorer is still causing problems with other applications . Now where are the shills today to say that everyone should have to fix their applications because Microsoft SAYS , Internet Explorer is not a problem .
    Intellihence
    • This time I actually agree with you

      MS should issue you a patch that prevents the use of application specific registered URIs full stop.

      That way there is no way a third party can fail to handle a badly formed URI request.

      If the functionality doesn't exist then third parties can implement it poorly.
      nmh
      • Then Mozilla would be suing Microsoft for blocking URIs

        Then Mozilla would be suing Microsoft for blocking URIs and preventing Mozilla from implementing flaws.
        georgeou
        • Could Microsoft sue itself for blocking its own URI's ?

          This also affect many Microsoft products

          http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027289&intsrc=hm_list


          "However, I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments, [including] AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player), just to name a few," Larholm wrote.
          The_Nutty_Zealot
          • NO

            NO, but only if these products will have a flaw, like Mozilla's flaw.
            qmlscycrajg
    • Obviously you ("the child") do not code....

      You obviously do not write code or you would know otherwise. Such a silly comment... you never learn. I think every Mac user out there should just cringe when they see you comment.
      fr0thy2.
  • I can hear the cry of a million web devleopers:

    "and so say all of us!"
    odubtaig
    • Microsoft >>>SHOULD<<< fix their issue .

      If the million or so web developers are crying , let them cry on Microsoft's shoulders .
      Intellihence
      • Message has been deleted.

        SO.CAL Guy
        • Message has been deleted.

          Intellihence
          • No, So.Cal was right with the 'apple troll' description <NT>

            ...
            Scrat
          • Message has been deleted.

            Intellihence
          • He's just child...look at his comments...he knows nothing.

            (nt)
            fr0thy2.
          • He's just child...look at his comments

            Can't see them they were remove, maybe got his silly butt blocked from posting. So much for freedom of speach!
            aussieblnd
          • Instead of misunderstanding "freedom of speech"...

            ...why not try exercising freedom of thought first. This site is privately owned, there is no such thing as freedom of speech on someone else's forum, you post at the owners discretion, read the rules that you agreed to when you signed up.

            And, it is speech not speach, removed not remove.
            Mike Hunt
      • Not quite what I meant.

        Web developers the world over would love to see the back of Explorer for the simple reason that it's a colossal pain to develop for. I'm currently knocking together a personal website and I have one stylesheet for Opera, Safari, Firefox and Konqueror which just works, another stylesheet for IE7 in 'compliant' mode (because 100% doesn't mean 100% unless you give IE extra special commands) and another one for IE6 which is just about functional but still looks like it's been attacked by a cadre of rabid monkeys.

        Maybe it's because I can't afford the shiny delights of Dreamweaver and I'm coding it all by hand, but not many web developers I've spoken have exactly been endeared with IE's more 'charming' quirks.
        odubtaig
        • I feel for you dude .

          Internet Explorer has not been compliant with the W3C for years . Microsoft actually believes it is running the WWW. Talk about being in denial .
          Intellihence
          • IE Only

            Years ago, many commercial software companies and web developers - myself included - gave up on all but IE because IE was the ONLY browser that would consitently render their code properly and predictably. This is still the case today. I have a web site that looks just great in IE, but Firefox mutilates it in spite of numerous attempts to "fix" it for Firefox. There are known bugs in Firefox that are years old and nobody has fixed them. So, once again, I threw in the towel and decided anyone not running IE deserved what they got. ALL software has flaws, and more and more as every pimply faced kid is allowed to contribute to the steamy, heaping pile. Coding for anything other than IE simply is not worth the effort.
            Techknowledgie
          • "The Child" will not listen unless you bash MS...

            (NT)
            fr0thy2.
          • silly sheep

            what, can't handle open source
            HapGail_HomeInMd9