dcsimg
RealTime IT News

Flaw Still Shadows Firefox

Sometimes it takes more than one or even two kicks at the can to fix a security issue even when the source code is open.

Such is apparently the case with vulnerability in the Mozilla Firefox uniform resource identifier (URI) handler, which enables Firefox to call on other Web resources.

Security researchers Billy (BK) Rios and Nate Mcfeters have alleged that they have discovered a way to exploit a common handler with a single unexpected URI.

The researchers claim they have notified Mozilla about the continued existence of the issue and are not revealing full details of a proof of concept exploit that demonstrates the vulnerability.

It is unclear as to when Mozilla will issue a fix, though it is working on the issue.

"We are aware of this recently identified potential issue and are vigorously investigating it," Window Snyder, chief security officer at Mozilla, wrote in a statement sent to internetnews.com.

This is the same basic issue that Mozilla has tried to fix at least twice already.

The first reports of the flaw surfaced around July 10. Mozilla moved quickly and by July 18 had issued Firefox 2.0.0.5, which included a fix for the issue.

At the time, Mozilla claimed to have fixed the flaw but that it could still be an issue because of Microsoft Internet Explorer, which had not been patched for the same basic issue.

A week later, Mozilla admitted that it was still vulnerable. That admission was followed by yet another fix -- this time in the form of Firefox 2.0.0.6, which was released on July 31.

Rios alleged on his site that although the conditions, which allowed for remote command execution in Firefox 2.0.0.5 have been addressed, the underlying file-type handling issues, which are truly the heart of the issue, have not been addressed.