Among Mozilla's Tuesday fixes is a patch for a flaw that allows remote code execution when a user launches Firefox from Internet Explorer (IE).
Window Snyder, Mozilla chief security something-or-other, said on the company’s security blog today that Microsoft should patch the issue. She also urged PC users to browse with Firefox.
"This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to," she said.
"Mark Griesi is quoted in Infoworld saying, ‘We don’t feel that there’s an issue in IE, and therefore, there’s nothing to be fixed.’"
For exploitation, IE must call registered URL protocols without escaping quotes and pass unexpected and potentially dangerous data to the application that registers the protocol, according to Mozilla.
The "critical" vulnerability can be exploited when a user visits a malicious website in IE and clicks on a specially prepared link causing IE to invoke another program – in this case Firefox and Thunderbird – and pass the link to that application, according to Mozilla.
Mozilla noted that other Windows applications can be accessed and manipulated through this process.
Mozilla credited Greg MacManus and Billy Rios with disclosing the flaw.
A Microsoft spokesperson told SCMagazine.com that the Redmond, Wash.-based company has thoroughly investigated the reports and found that there is no such vulnerability in IE.
Billy Rios, the researcher who discovered the flaw, said Tuesday on his blog that he considers the issue a problem for both Microsoft and Mozilla.
"A few people have asked me whether I consider this an IE flaw or a Firefox flaw…and the answer is both," he said.
"Problems with URI handlers will not be fixed until both the browser (in this case, IE) and the registered application [in this case, Firefox] change how URI handlers are used."
The Mountain View, Calif.-based software provider also released a "critical" patch for a flaw that has allowed "crashes with evidence of memory corruption." Mozilla researchers said they presumed the flaw could be used to run arbitrary code on victimised machines.
The third critical patch in Firefox 22.214.171.124 is a fix for a privilege escalation flaw that can allow an attacker to use an element outside of a document to call an event handler.
Mozilla also patched "high" danger flaws, one allowing unauthorised access to wyciwyg:// documents and a cross-site scripting error that takes advantage of addEventLstener or setTimeout, according to Mozilla.
A "moderate" flaw in XPCNativeWrapper pollution and "low" danger flaws in file type confusion due to "%00" in a name and frame spoofing while a window is loading were also patched.
Mozilla distributes eight patches; blames Microsoft for vulnerability
By Frank Washkuch on Jul 19, 2007 10:11AM