In a public mea culpa, Mozilla's chief security officer acknowledged Monday that Firefox includes the same flaw that the company called a "critical vulnerability" in Internet Explorer during a two-week ruckus over responsibility for a Windows zero-day bug.
"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point," said Window Snyder of Mozilla. "While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.
"We thought this was just a problem with Internet Explorer," Snyder continued. "It turns out, it is a problem with Firefox as well."
The argument over responsibility for a flaw that involved both Internet Explorer and Firefox began two weeks ago when Danish researcher Thor Larholm argued that Internet Explorer contained an input validation bug that passes potentially malicious URLs to other applications. Larholm called out Firefox's "firefoxurl://" protocol as one that Internet Explorer mishandled. He staked out the position that Internet Explorer was to blame, while other security experts said it was Firefox's fault.
As fingers pointed, Mozilla patched the Internet Explorer-Firefox interaction bug by releasing an update, Version 2.0.0.5. Even so, Snyder and others continued to argue that Internet Explorer was the problem. "Microsoft needs to patch Internet Explorer," Snyder said last Wednesday. That same day, Asa Dotzler, director of community development, contrasted what he said were the differences between Microsoft and Mozilla on the bug. "We think it's Firefox's job to ensure that users are protected from malicious Web sites when they're surfing the Web in Firefox. Apparently, Microsoft doesn't think the same for Internet Explorer," Dotzler said then.
Friday, Jesper Johansson, a former Microsoft security strategist but now a security program manager at Amazon.com, spelled out how Firefox was as guilty as Internet Explorer of failing to validate input. In a post that leaned on the metaphor of "glass houses," Johansson showed how Firefox passes potentially malicious URLs to other applications, including the multiple-service instant messaging client Trillian. "Firefox is subject to the exact same flaw that they blame on Internet Explorer. Firefox also does not escape quotes in URLs before it passes them on to protocol handlers," he said.
Snyder did not credit Johansson by name for alerting Mozilla to the Firefox bug, but she admitted that the flaw should have been spotted. "We should have caught this scenario when we fixed the related problem in 2.0.0.5," she said.
She did not specify when a patch would be issued, but one is in the works, according to an entry in Bugzilla.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Applications Resource Alerts
Recommend This
