TechSpot en EspañolMost Popular
| Top Stories | Just in | Featured |
11 awesome applications you've never heard of featured
Microsoft to offer three-user Windows 7 Family Pack?
2K Games offers "Huge Game Pack" on Steam for $54
Fallout 3 gets 50% price cut on Steam this weekend
Apple issues advice on iPhone 3GS overheating
Firefox 3.5 breaks 5 million downloads in 24 hours
TechSpot RSSInformation Technology
Critical cross-browser flaw in Firefox revealed
Even the mighty Firefox is vulnerable to attack, and we see this today with Secunia's publication of a newly discovered security flaw in the popular browser. Affecting only the 2.0.x branch, this flaw could potentially be exploited by malicious users to compromise a machine. The “Firefox URL” function is one method of exploitation, and a simple posted fix is to disable that particular handler.
This flaw is interesting in that it can be carried across browsers, with bad data from IE resulting in compromise:
The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
The flaw has been noted elsewhere. We'll likely see an update from Mozilla soon.
This flaw is interesting in that it can be carried across browsers, with bad data from IE resulting in compromise:
The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
The flaw has been noted elsewhere. We'll likely see an update from Mozilla soon.
Related Stories
