Most Popular
| Top Stories | Commented | Featured |
Weekend Open Forum: Have you upgraded to Windows 7 yet? What is there to like/not? featured
Tech Tip of The Week: Turn Off your Display Using a Windows Shortcut and More featured
Netflix PS3 streaming arrives tomorrow
Dell's ultra-thin Adamo XPS to ship soon for $1,799
Windows 7 crushed Vista in early launch sales
Nvidia Tegra 2 to double performance, arrive next year?
TechSpot RSSInformation Technology
Critical cross-browser flaw in Firefox revealed
Even the mighty Firefox is vulnerable to attack, and we see this today with Secunia's publication of a newly discovered security flaw in the popular browser. Affecting only the 2.0.x branch, this flaw could potentially be exploited by malicious users to compromise a machine. The “Firefox URL” function is one method of exploitation, and a simple posted fix is to disable that particular handler.
This flaw is interesting in that it can be carried across browsers, with bad data from IE resulting in compromise:
The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
The flaw has been noted elsewhere. We'll likely see an update from Mozilla soon.
This flaw is interesting in that it can be carried across browsers, with bad data from IE resulting in compromise:
The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
The flaw has been noted elsewhere. We'll likely see an update from Mozilla soon.
Related Stories
