Sometimes it takes more than one or even two kicks at the can to fix a
security issue even when the source code is open.
Such is apparently the case with vulnerability in the Mozilla Firefox
uniform resource identifier (URI) handler, which enables Firefox to call on
other Web resources.
Security researchers Billy (BK) Rios and Nate Mcfeters have alleged that
they have discovered a way to exploit a common handler with a single
unexpected URI.
The researchers claim they have notified Mozilla about the
continued existence of the issue and are not revealing full details of a
proof of concept exploit that demonstrates the vulnerability.
It is unclear as to when Mozilla will issue a fix, though it is working
on the issue.
“We are aware of this recently identified potential issue and are vigorously
investigating it,” Window Snyder, chief security officer at Mozilla, wrote in
a statement sent to internetnews.com.
This is the same basic issue that Mozilla has tried to fix at least twice
already.
The first reports of the flaw surfaced around July 10. Mozilla moved quickly and
by July 18 had issued Firefox 2.0.0.5, which included a fix for the issue.
At the time, Mozilla claimed to have fixed the flaw but that it could still be an issue because of Microsoft Internet Explorer, which had not been patched for the same basic issue.
A week later, Mozilla admitted that it was still vulnerable. That admission was followed by yet another fix — this time in
the form of Firefox 2.0.0.6, which was released on July 31.
Rios alleged on his site that although the conditions, which allowed for
remote command execution in Firefox 2.0.0.5 have been addressed, the
underlying file-type handling issues, which are truly the heart of the issue, have not been addressed.
