July 11, 2007

Who's to blame for browser bug? IE or Firefox?

Flaw affects Internet Explorer users but appears to be a risk only to those who already have Firefox installed

A security researcher has found a security bug that could be attacked in Internet Explorer. Mozilla said it plans to patch the problem in its next Firefox software update.

No, that's not a typo, just the strange fallout from an unusual bug that had security researchers debating the question this week, "Who's to blame? Microsoft or Mozilla?"

Security researcher Thor Larholm kicked off the controversy on Tuesday, claiming that he had discovered a flaw that would let an attacker run commands on a victim's PC.

In his blog posting, Larholm said the bug was similar to a flaw he'd discovered last month in Apple's Safari 3.0 beta software, and he called it an an "input validation flaw in Internet Explorer." The problem is with a URL protocol handler component of Internet Explorer, he said. This software allows Internet Explorer users to launch applications such as Excel or Firefox by clicking on specially written links on Web pages.

When Internet Explorer clicks on a link that launches the Firefox browser, however, the software does not properly check its syntax, and that, Larholm said, lets an attacker create a malicious link that could be used in an attack. Security vendor Secunia ApS rates the flaw as "highly critical."

So while the flaw affects Internet Explorer users, it appears to be a risk only to those who already have Firefox installed. And to make matters more complicated, if a Firefox user were to click on one of the specially written links, he would not be affected.

Still, Microsoft security program manager Mark Griesi said that the bug was not his company's problem. "We don't feel that there's an issue in IE, and therefore, there's nothing to be fixed," he said Tuesday.

With Microsoft saying it won't fix the vulnerability, Mozilla said it would change the way its Firefox URL protocol handler worked in its next Firefox update. That will fix Larholm's bug, but Mozilla security strategist Window Snyder wouldn't say whether she considered the vulnerability to be an IE or Firefox problem. She did, however, point out that without Microsoft making changes to IE, other Windows programs may be at risk.

Noted browser bug-hunter Aviv Raff wrote in his blog that he thought both Microsoft and Mozilla were to blame.

But another security expert said that the responsibility to fix the problem lies with the open source browser developers. "This is an oversight in how Mozilla decided to construct their protocol registration, and how they do input validation between this handler and their application," said Eric Schultze, chief security architect with Shavlik Technologies, via e-mail. "I think Mozilla needs to write and release a patch for this issue, and Microsoft can take the week off."

Close

On Twitter now

Applications

Powered by Twitter

On Twitter now

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »

Sign up to receive Applications Resource Alerts

Subscribe to the Applications Newsletter

Stay informed of the latest news and technologies around application, project and performance management.

White paper

Turn Your IT Department into a Lean Machine

Like any valuable resource, IT is a terrible thing to waste. But by applying the same lean techniques that have been used to streamline manufacturing processes, IT departments can reduce costs, improve performance and better manage resources.

Download now! »

Podcast

Economy Makes Automation a Must-Have Tech for 2009

Stephen Elliot, vice president of strategy for CA's Infrastructure Management and Data Center Automation business unit, explains why difficult economic times drive the need for simplified management capabilities and advanced automation tools.

Listen now! »

White paper

What You Need to Know About Virtual Infrastructure Management - Now

According to a recent study CA conducted with 300 CIOs and top IT executives, 64 percent of respondents say they've already invested in virtualization, and the other 36 percent reported that they plan to invest in virtualization.

Download now! »

Webcast

Leveraging Virtualization and Process Automation

In this video learn about process automation in a virtualized world. How CA and VMware are enabling enterprise datacenter automation.

View now! »
©1994-2009 Infoworld, Inc.