Firefox tries again for URI fix, adds Leopard support

By , IDG News Service |  Security

Mozilla Corp. has released a critical security
update to Firefox, taking a third shot at patching bugs in the way the browser
can be used to launch programs from Web links.

The bug,
rated 'moderate' by Mozilla, lies in the URI (Uniform Resource Identifier) protocol
handling technology that is used to launch programs -- an e-mail client for
example -- from within the browser. Over the past few months, security researchers
have been discovering an increasing number of ways that this technology can
be misused, often as a way to install unauthorized software on a victim's computer.

The URI patch is one of eight security bug-fixes that Mozilla has pushed out
with the 2.0.0.8
update
, released late Thursday.

Mozilla developers originally thought that the issue lay within Microsoft Corp.'s
Internet Explorer software, which could be invoked in a malicious fashion via
Firefox. Several days after issuing their first patch, however, they realized
that there was a problem with Firefox as well, and rushed out the 2.0.0.6 update.

Now, three months after that fix, they've patched another URI bug in Firefox
that will cut down on the likelihood of programs being launched maliciously
through the browser. The 2.0.0.6 release "did not prevent the incorrect
file-handling programs from launching which left some risk," Mozilla said
in its advisory.
"An additional fix has been applied to Firefox 2.0.0.8 that detects when
Windows would mishandle these URIs so that the wrong program does not get launched."

Mozilla developers weren't certain that this latest
twist
on the URI problem could really be exploited in Firefox, but they
decided to issue this latest URI patch rather than wait to find out for certain,
said Window Snyder, Mozilla's security chief. "We could just say this particular
vector is not an issue because we do not have proof," she wrote in an e-mail.
"We could leave it alone. Rather than spend our time analyzing whether
this is a vector that could be vulnerable we would rather put the block in place
and eliminate the possibility. This is a defense-in-depth measure."

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Ask a Question