The bitterness between FF and IE doesn't end at personal preference, and lately has been seen in the realm of personal security. Last week, we saw the discovery and quick fix of a flaw that required FF and IE be installed in conjunction to be able to exploit.
Now, there is another discovered exploit
along these same lines. The issue, which lies within Firefox, requires that the system in question (Windows based, of course) have Internet Explorer 7 installed. Given that any updated Windows XP machine and all Vista machines are equipped with IE7, that could be quite a lot. This is an extension of other flaws we've heard about, revolving around insecure parsing of URI links:
A new demo has been published, illustrating how the latest version of Firefox running under Windows XP SP2 can be made to start an application using crafted links. Clicking on a manipulated mailto:, nntp:, snews: or news: link opens the command line and the Windows calculator. In principle, any command can be executed and code can be injected and executed via a website in this way.
As more people begin to look at this, they find the issue is more widespread than initially expected. While the scope of these flaws seems to be limited to Windows-based machines, they are still serious. The Mozilla developers are very well aware of the issue, and there is a bugzilla entry
. Likely we'll see another release of Firefox soon, even if the fault isn't entirely theirs.