Mozilla is working on patching its Firefox browser after a hacker posted details of a flaw that could let criminals run unauthorized software on a victim's machine.
The flaw lies in Firefox's URL handler component, which was the source of another bug Mozilla disclosed Tuesday.
This second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with VeriSign and Ernst & Young, respectively.
Like the first flaw, this one could be exploited by attackers to launch programs on the victim's PC without authorization, said Tyler Reguly, a security research engineer at nCircle Network Security. "They're both related to the URL handling process," he said. "It's just different errors within that handling process."
Even though the code posted by Rios and McFeters can only be used to launch software that is already installed on a victim's PC, it could be very dangerous if used by criminals, Reguly said. "It's still letting you run any program that exists on the user's computer," he said. "You can make it do some fairly bad things. For example, having it use command-line FTP to download a malicious file off a server somewhere and then execute that file."
A victim would have to be tricked into clicking on a malicious link for the attack to work, Reguly said.
Mozilla's security chief, Window Snyder, said that her team is working to verify and fix this latest flaw.
Firefox's URL handler has been a headache for Mozilla ever since security researcher Thor Larholm showed that the way IE (Internet Explorer) and Firefox interact with each other could be exploited to launch software on a user's machine without authorization. To make the attack work, IE would load malformed data from a Web site and would then send it to Firefox, which would launch the unauthorized software.
Microsoft and Mozilla disagreed about who was at fault, however. Snyder initially said that the attack wouldn't work on Firefox alone and that Microsoft should change the way IE passes malformed data to other programs. Microsoft said that the problem lay with Firefox.
While disclosing details on the first URL handler bug on Tuesday, Snyder admitted that she was wrong. "We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well," she said. "We should have caught this scenario."
Mozilla is planning to fix this issue in the upcoming 2.0.0.6 release of its browser. Snyder did not say when the Billy Rios bug would be patched.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
1 Recommendation
