Users of Firefox 2.0 and above are being warned of a “highly critical” security glitch that could allow a hacker to execute arbitrary commands and take control of their computer.
“This can be exploited to execute arbitrary commands, for example when a user visits a malicious web site using Microsoft Internet Explorer.”
The security glitch was first discovered by security researcher Thor Larholm. Symantec weighed in and put the blame on Explorer, while rival Secunia is now attributing the problem to Firefox versions 2.0 or later.
This is a classic example where a product might be secure but when used alongside another product security issues arise.
“Firefox is the current attack vector, but Internet Explorer is to blame for not escaping…characters when passing on the input to the command line,” said Larholm, in response to a reader’s comment on WebWare. “I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications.”
“We are aware of this issue and we are developing a fix,” Window Snyder, Mozilla’s chief security officer, told internetnews.com. “Mozilla is committed to delivering the safest online experience for its users.”
Secunia suggests that Firefox users disable the “Firefox URL” URI handler and avoid visiting untrusted sites until the problem is resolved.