One patch fixes a Firefox and Thunderbird flaw, deemed "critical" by Mozilla, that can allow unescaped URIs to be passed on to external programs.
The flaw can "cause the receiving program to mistakenly interpret a single URI as multiple arguments," according to Mozilla’s security advisory, which credited researcher Jesper Johansson with discovering the flaw.
The advisory cited a similar issue with URIs, reported by Billy (BK) Rios and Nate Mcfeters last week.
Vulnerability monitoring organisations have also classified the flaw as a Microsoft issue.
US-CERT on Friday called the flaw "a vulnerability in the way Microsoft Windows determines how to handle URIs, which may be leveraged by a remote attacker to execute arbitrary commands on an affected system." Other applications can also act as an attack vector, according to US-CERT's advisory.
Last week, Secunia called the flaw a "Microsoft Windows URI handling command execution vulnerability" that can be exploited for remote code execution.
The flaw is caused by an input validation error within the handling of system default URIs with registered URI handlers, according to Secunia, which said the vulnerability was confirmed on a fully patched Windows XP operating system with Service Pack 2 as well as Windows Server 2003.
Window Snyder, Mozilla chief security something-or-other, said Monday on the company’s security blog that the patch "reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior."
Amol Sarwate, director of Qualys’ vulnerability research lab, told SCMagazine.com that Microsoft should issue a fix for the bug.
"It’s an issue in both the browsers. Mozilla has fixed the issues with Firefox and Thunderbird, and those are issues that should be fixed in Microsoft’s products as well," he said.
"[Flaws affecting multiple browsers] are something we will see more and more as applications want to set themselves up as the default for accepting certain URLs or URIs."
A Microsoft spokesperson said today that the Redmond, Wash.-based company is investigating reports, but is unaware of attacks trying to take advantage of the flaw.
Microsoft will take appropriate action after the investigation is complete, said the spokesperson.
Mozilla also patched a "moderate" flaw that allows privilege escalation through chrome-loaded about:blank windows. That vulnerability was credited to Mozilla researcher moz_bug_r_a4.
Microsoft and Mozilla pointed fingers earlier this month over a URL handling flaw in Firefox.
After patching that flaw on 17 July — and urging Microsoft to do the same with Internet Explorer — Mozilla officials admitted that the URL handling flaw is primarily a Firefox issue.
Mozilla releases two patches, including URI handling fix, as part of Firefox 188.8.131.52
By Frank Washkuch on Aug 1, 2007 9:45AM