The latest flaw affects users browsing with IE7, said Rios during a post on his blog, warning that other browsers have similar issues.
"It’s time to take a good look at the registered URL handlers and how browsers interact with those registered URL handlers," he said.
"Developers who intend to [or have already] registered URLs for their applications must understand that registering a URL handler exponentially increases the attack surface for that application. Please review your registered URL handling mechanisms and audit the functionality called by those URLs."
On Monday, Mozilla Chief Something-or-Other Window Snyder said on the Mozilla Security Blog that a protocol handing issue exists in Firefox as well as IE. Mozilla had previously blamed the problem on Microsoft, urging the Redmond, Wash.-based company to release a fix for the problem.
The flaw, which can be exploited when IE refers a malicious URL to Firefox, was patched by Mozilla on 17 July when Mozilla released Firefox 188.8.131.52.
Snyder said today on Mozilla’s security blog that the company is investigating the issue. She said the flaw’s impact "appears to be unknown at this time," and advised caution when browsing unknown sites until the Mountain View, Calif.-based company releases a patch.
Rios revealed a list of 13 flaws that he and Mcfeeters have discovered over the past month, telling SCMagazine.com that "these URL handling flaws are really rampant."
"You’ll see that it affects a wide range of products including Internet Explorer, Firefox, Mozilla, Netscape Navigator and Trillian.
We still have a few vulnerabilities that we have discovered, but haven’t disclosed yet," he said. "As security researchers begin to understand the dangers of URL handlers, we’ll start to see even more of these types of flaws."
Another Firefox URL handler bug revealed; researcher says more on the way
By Frank Washkuch on Jul 27, 2007 10:05AM
Researchers Billy (BK) Rios and Nate Mcfeeters unveiled another URL handler vulnerability for Mozilla's web browser on Tuesday, days after revealing a Firefox flaw dependent on use of Internet Explorer (IE).
Got a news tip for our journalists? Share it with us anonymously here.