
"It’s time to take a good look at the registered URL handlers and how browsers interact with those registered URL handlers," he said.
"Developers who intend to [or have already] registered URLs for their applications must understand that registering a URL handler exponentially increases the attack surface for that application. Please review your registered URL handling mechanisms and audit the functionality called by those URLs."
On Monday, Mozilla Chief Something-or-Other Window Snyder said on the Mozilla Security Blog that a protocol handing issue exists in Firefox as well as IE. Mozilla had previously blamed the problem on Microsoft, urging the Redmond, Wash.-based company to release a fix for the problem.
The flaw, which can be exploited when IE refers a malicious URL to Firefox, was patched by Mozilla on 17 July when Mozilla released Firefox 2.0.0.5.
Snyder said today on Mozilla’s security blog that the company is investigating the issue. She said the flaw’s impact "appears to be unknown at this time," and advised caution when browsing unknown sites until the Mountain View, Calif.-based company releases a patch.
Rios revealed a list of 13 flaws that he and Mcfeeters have discovered over the past month, telling SCMagazine.com that "these URL handling flaws are really rampant."
"You’ll see that it affects a wide range of products including Internet Explorer, Firefox, Mozilla, Netscape Navigator and Trillian.
We still have a few vulnerabilities that we have discovered, but haven’t disclosed yet," he said. "As security researchers begin to understand the dangers of URL handlers, we’ll start to see even more of these types of flaws."