Mozilla’s popular alternative browser received yet another security update today with the release of 22.214.171.124. The new update addresses two security holes, one of them rated as critical and the other as moderate. The critical “unescaped URIs passed to external programs” flaw allowed single URIs handed off to external programs to be interpreted as multiple arguments:
When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.
The second issue deals with a privilege escalation vulnerability that could enable add-ons to create "about:blank" windows and populate them in certain ways. Firefox users can download 126.96.36.199 from our download section or use the auto update function within the browser.