Researcher: Firefox 2.0 contains ‘highly critical’ security flaw

July 10, 2007

Users of Firefox 2.0 and above are being warned of a “highly critical” security glitch that could allow a hacker to execute arbitrary commands and take control of their computer.

“The problem is that Firefox registers the ‘firefoxurl://’ URI handler and allows firefox to invike arbitrary command line arguments. Using the ‘-chrome’ parameter it is possible to execute arbitrary Javascript in chrome context,” security research firm Secunia noted on its Web site. 

“This can be exploited to execute arbitrary commands, for example when a user visits a malicious web site using Microsoft Internet Explorer.”

The security glitch was first discovered by security researcher Thor Larholm. Symantec weighed in and put the blame on Explorer, while rival Secunia is now attributing the problem to Firefox versions 2.0 or later.

This is a classic example where a product might be secure but when used alongside another product security issues arise.

“Firefox is the current attack vector, but Internet Explorer is to blame for not escaping…characters when passing on the input to the command line,” said Larholm, in response to a reader’s comment on WebWare. “I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications.”

“We are aware of this issue and we are developing a fix,” Window Snyder, Mozilla’s chief security officer, told “Mozilla is committed to delivering the safest online experience for its users.”

Secunia suggests that Firefox users disable the “Firefox URL” URI handler and avoid visiting untrusted sites until the problem is resolved.

Be Sociable, Share!

Leave a Reply:

Recent stories

Featured stories

RSS Windows news

RSS Mac news

RSS iPad news

RSS iPhone & Touch

RSS Mobile technology news

RSS Tablet computer news

RSS Buying guides

RSS PS3/Wii/Xbox 360

RSS Green technology

RSS Photography

Featured Content


Copyright © 2014 NS