The fix will be issued as part of Firefox version 220.127.116.11, which is scheduled to be released on 31 July, according to Window Snyder, Mozilla chief security something-or-other [sic].
For a vulnerable PC to be exploited, a user must be duped into clicking on a malicious webpage link, Snyder said Monday on the Mozilla Security Blog.
"The vulnerability is exposed when a user browses to a malicious webpage in IE and clicks on a specially crafted link. The link causes IE to invoke another Windows program via the command line and then pass [to] that program the URL from the malicious webpage without escaping the quotes," she said.
"This can cause data to be passed accidentally from the malicious webpage to the second Windows program. In the specific attack described in the report [by researcher Thor Larholm], IE sends URL data to Firefox. If the data is crafted in a certain way, it will allow remote code execution in Firefox."
Larholm’s research was based on an earlier vulnerability he found between Safari and Firefox that was fixed by Apple.
The flaw was discovered by researchers Billy (BK) Rios, Nate Mcfeetes and Raghav "the Pope" Duke, according to Secunia.
The issue occurs when Firefox registers the firefoxurl:// URI handler, allowing an arbitrary command line argument to invoke the program, according to Secunia. It has been confirmed on a fully patched Windows XP system with Service Pack 2.
Larholm revealed proof-of-concept exploit code for the flaw this week.
Snyder said that other Windows applications may be vulnerable to bad data passed on from IE, but Firefox users are not vulnerable to such an attack while surfing with the alternative browser.
"It is important to note that if you are using Firefox to browse the web you are not vulnerable to this attack," she said. "While we have seen no evidence of attackers exploiting this issue, there is proof-of-concept code available publicly. So we recommend that people use Firefox and, as always, take care when browsing unknown websites."
A Microsoft spokesperson told SCMagazine.com that the Redmond, Wash.-based company has investigated reports and found this is not a flaw in a Microsoft product.
Dave Cole, director of Symantec Security Response, told SCMagazine.com that PC users will likely blame either Microsoft or Mozilla for the issue, depending on whose browser they like better.
"It’s really a philosophical question, and smart people come down on both sides of it. Some people say that it should never be the responsibility [to ensure security] of the calling program," he said.
"And the reality is that the web is a platform now; there are a lot of different applications that can be called from Internet Explorer, and there are a lot of places where Firefox is embedded, and it needs to be called by other applications."
Mozilla to patch Firefox flaw, vulnerable with Internet Explorer
By Frank Washkuch on Jul 12, 2007 9:32AM