
After patching the flaw in Firefox on July 17 – and urging Microsoft to do the same with Internet Explorer (IE) – Mozilla officials admitted that the URL handling flaw is primarily a Firefox issue.
Secunia’s advisory, issued on Thursday, calls the latest flaw a "Microsoft Windows URI handling command execution vulnerability," which can be exploited for remote code execution.
The flaw is cause by an input validation error within the handling of system default URIs with registered URI handlers, according to Secunia.
The vulnerability has been confirmed on fully patched Windows XP Service Pack 2 and Windows Server 2003 operating systems that are using Firefox version 2.0.0.5 and Netscape Navigator version 9.0b2.
A Microsoft spokesperson told SCMagazine.com that the Redmond, Wash.-based company is investigating the reports but is unaware of any attacks trying to take advantage of the flaw.
Microsoft will take appropriate action after the investigation is complete, said the spokesperson.
For successful exploitation, a PC user must have IE7 installed, according to Secunia, but the user must be browsing with Firefox.
Secunia credited researchers Billy (BK) Rios and Nate Mcfeters with disclosing the flaw, and referenced information from Jesper Johansson. Mozilla on Wednesday also credited Rios and Mcfeters with the disclosure.
Rios today stressed the importance of URI handling flaws to SCMagazine.com, saying both parties should take measures to protect users.
"I think the ongoing ‘blame game’ that we see is just an indication of some of the subtle complexities we see when dealing with URI handling," he said via email.
"In the end, I think there are measures both the browser and the external application must take to mitigate these issues…it’s the only way it’s going to be fixed. Otherwise we’ll be seeing these types of flaws for a really, really long time."
US-CERT also released an advisory for the flaw, calling it a Firefox vulnerability.
Firefox can be sued as an attack vector for flaws in other applications because it does not filter data passed to certain URI protocol handlers, according to US-CERT’s advisory.