IT News Digest

Host: Sonja Thompson

The flaw that "Firefoxed" Internet Explorer

Date: July 23rd, 2007
Author: Arun Radhakrishnan
Category: Flaws, News
Tags: Mozilla Firefox, Microsoft Internet Explorer, Mozilla Corp., Flaw, Arun Radhakrishnan

8 comment(s)

Firefox flaw A few days back there was immense furor over the zero-day vulnerability that used a potential handling of a FireFox URL protocol by IE to execute malicious JavaScript code. The flaw was triggered on a system with FireFox installed and IE used for browsing.

Here’s a description of the flaw from InformationWeek:

If someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL. Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

The flaw needed a certain degree of user-interaction (lockergnome) to be activated and the folks at Mozilla have patched the issue in their 2.0.0.5 browser release. What’s deeply intriguing about the flaw is how it uses the interface among the applications (in this case IE and Mozilla) to launch an attack.

The flaw sparked a lot of sparring between executives of Mozilla and Microsoft (TechWorld), each blaming the other’s API call for the flaw. Software makers can ensure a lot of security around their internal code, but when it comes to APIs they expose to third-party software, the usage is in the hands of the third party and may present vulnerable end points.

Bottom-line

Be wary of the software installed on the system that you use. Even unused software APIs can act as potential entry points for malware and trigger an exploit.

I am a technology enthusiast who believes self-improvization is the key to a contented life.

Print/View all Posts Comments on this blog

Why would a Firefox user... RealAusTech | 07/23/07

The issue is about validating parameters passed in URL protocol handlers. pr.arun@... | 07/24/07

I've always firmly believed that if a routine is Tony Hopkinson | 07/24/07

I agree. BruceLaBonte | 07/24/07

If you want to browse with IE ... noorman | 07/24/07

I agree and disagree with Bruce. DenisDiderot | 07/24/07

Certainly validation can be expensive Tony Hopkinson | 07/25/07

A Firefox URL? angrykeyboarder | 07/24/07

White Papers, Webcasts, and Downloads

Network Managed Services: A Cost-Effective Approach to Complexity Qwest Communications Learn how outsourcing network management tasks to a third party allows companies to save time and drive substantially lower total cost of ownership. Download Now
Live Webcast: The Power of Centralization in Distributed Development CollabNet Distributed teams are common in software development today. However ... Download Now
Driving business agility through SOA connectivity and integration IBM Corp. This paper describes some of the business and IT issues that enterprises ... Download Now

Top Rated

TechRepublic Blogs

500 Things Every Technology Professional Needs to Know: Did you know Microsoft's RegClean does not work with XP but you can use shareware to clean your registry? Did you know most wireless access points don't have encryption enabled by default? Did you know there are 500 tidbits of information contained in TechRepublic's 500 Things Every Technology Professional Needs to Know that will help you become a successful IT professional.; Buy Now

Quick Reference: Linux Commands: Reduce stress and speed up resolutions with the easiest command references right at your fingertips. You'll receive a PDF file covering Linux, packed with the most common commands you'll need and use daily.; Buy Now

IT News Digest

The flaw that "Firefoxed" Internet Explorer

Print/View all Posts Comments on this blog

What do you think?

White Papers, Webcasts, and Downloads

Recent Entries

Top Rated

Archives

TechRepublic Blogs

SmartPlanet