Mozilla patches Firefox; tells users to avoid IE
Even after plugging the hole, Mozilla inserted a blunt message into its alert:
This patch does not fix the vulnerability in Internet Explorer.
The open-source group is also urging Web surfers to use Firefox to browse the web "to prevent attackers from exploiting this problem in Internet Explorer."
[ SEE: Microsoft should block that IE-to-Firefox attack vector ]
Mozilla's stance that there's a critical flaw in Microsoft's IE that puts Windows users at risk is also shared by Thor Larholm, one of the hackers who found/disclosed the bug.
The latest from Larholm spells out the risk scenario:
I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few...
I can categorically deny that this flaw has been fixed in Internet Explorer. Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then.
[IMAGES: How to run Internet Explorer securely ]
Mozilla said two of its products -- Firefox and Thunderbird -- are among the Windows apps can be launched via clicking on a malicious link in IE and because they both support a "-chrome" option, the link could be used to launch malware.
Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data.
[SEE: Ex-Microsoft security strategist weighs in on IE-to-Firefox flaw debate ]
A trio of researchers tracking this issue have published proof-of-concept demos to show how IM clients like Trillian and AOL's AIM can be launched because of the problem with cross-application scripting and URI exploitation.
The researchers used IE in the examples but they are warning that this is much more than an Internet Explorer issue.
Registered URIs are a remote gateway to applications on YOUR system.... This is just the tip of the iceberg, other (MANY OTHER) URIs are vulnerable..... You don't want us to POST them all...Unregister ALL Unnecessary URIs.