Security researchers are alleging that the latest version of Mozilla Firefox 2.0.0.4 is at risk from a flaw that could allow a hacker to execute arbitrary commands and take control of a user’s computer.
At least one security researcher is claiming that the flaw occurs when the user has Microsoft’s Internet Explorer installed on the same machine.
Whatever the case may be, Mozilla is currently working on a fix.
“We are aware of this issue and we are developing a fix,” Window Snyder, Mozilla’s chief security officer, told internetnews.com. “Mozilla is committed to delivering the safest online experience for its users.”
Snyder did not say how soon a fix for the flaw, which security vendor Secunia rated “highly critical,” will be released.
The flaw involves the “firefoxurl://” uniform resource identifier (URI) handler, which enables Firefox to call on other Web resources. Independent security researchers alleged that that the URI is open to malicious code injection that would leave users at risk.
Billy (BK) Rios, Nate Mcfeters and Raghav “the Pope” Dube explained in their advisory that when Firefox2 is installed, it registers the “firefoxurl” URI in the Windows registry.
“This allows applications which render HTML (like Internet Explorer) to spawn an instance of Firefox,” the advisory states.
“The danger arises when parameters that are part of the firefoxurl: are passed directly to the Firefox.exe as options without validation. By using the firefoxurl URI, it is possible to use Internet Explorer (or other Windows-based browsers) to launch FireFox and immediately launch JavaScript Code.”
Independent security research Thor Larholm said that the flaw is an Internet Explorer issue.
“Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line,” Larholm wrote in a blog posting.
“I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely.”