ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Mozilla fixes another Firefox URI flaw

Robert Vamosi CNET News.com

Published: 01 Aug 2007 11:00 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft's Internet Explorer.

The update, Firefox 2.0.0.6, also patches a privilege escalation vulnerability.

Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.

Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with Internet Explorer 7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.

Sentry Posts Blog

Sentry Posts Blog
Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

Read more +

The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways, including implicit "about:blank" document creation or use of JavaScript URLs in a new window.

Although the patches released on Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release 2.0.0.6. To make mail-related links always prompt in Firefox before launching external programs, do the following:

  • Enter "about:config" in the location bar.
  • Enter "warn-external" in the filter: box.
  • Double click to set the mailto, news, nntp, and snews lines to "true".

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
5 out of 5 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:





Related Jobs

Java Developer - Reading - 35-40,000

Provide guidance and assistance to colleagues on program design, creation, testing and documentation to support best practice of the team. Create and ...

Graduate Software Test Engineer

Creation of test scripts, from detailed design documentation. Ensuring the quality of the released software products to our customers, based on sound ...

Principle Statistical Programmer World Leading CRO.

ROLE Develop and review SAS programs and output for the management of clinical trial data, the tabulation of data, preparation of patient data ...

Featured Talkback

What was achieved there is recognised to be of fundamental importance to both winning the war (Churchill visited to say 'thank you' to them) and the development of the computer. Maybe Bill Gates doesn't want to support this museum because it underlines where electronic computing started i.e. here, not the U.S.

By: 1000103773

Read full story:
Bletchley Park faces bleak future

Sentry Posts Blog

Skype - The Roach Motel

Here is an interesting article from The National Business Review, pointing out once again that you can never delete a Skype account. Never. Period. This is something I am familiar... More

Post a comment

The vPhone: Why Visa Should Go Mobile

The vPhone: Why Visa Should Go Mobile Author: Eric Everson, Founder MyMobiSafe.com With all of the success of Apple’s iPhone, there is a growing case to support a company like Visa... More

Post a comment

The Google Apple Merger: Fantasy or Fu...

The Google Apple Merger: Fantasy or Future? Author: Eric Everson, Founder MyMobiSafe.com Market research suggests that Microsoft controls upwards of 90% of the respective computer-based... More

1 comment

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers