Security threats Toolkit

Security flaw found in Mozilla browser

Robert Lemos and John Borland CNET News.com

Published: 09 Jul 2004 08:40 BST

Developers at the open-source Mozilla Foundation have confirmed that the latest version of their Web browsers have a security flaw that could allows attackers to run existing programs on the Windows XP operating system.

The flaw, known as the "shell" exploit, was publicised on Wednesday on a security mailing list, along with a link to a fix for the problem. Updated versions of the affected software programs, which include the Mozilla, Firefox and Thunderbird browsers, have been released.

Developers said the flaw affected only Windows users, not computers running either the Macintosh or Linux operating systems. Like recent Internet Explorer vulnerabilities, this flaw only allows the attacker the ability to run an existing program and requires that security problems in other applications be exploited to gain further access.

The flaw can be used to pass a file extension to the operating system. Windows XP will then run the helper application corresponding to that file extension. The main threat comes from the ability of an attacker to pass parameters to exploit vulnerabilities in a specific helper application, which could give an outsider access to the system. A shell problem could also cause the computer to freeze.

The news comes as Microsoft has been dealing with a string of security flaws found in its Internet Explorer browser during the past several weeks. Some researchers had begun recommending that people worried about online security stop using the IE browser altogether.

Microsoft recommends that Web surfers using Internet Explorer keep abreast of the latest security warnings, and go to the company's Protect Your PC site.

Mozilla developers said that future versions of the Firefox Web browser would have automatic update notifications that would make it easier to notify users about security fixes.