October 22, 2007, 9:55 AM — Mozilla Corp. has released a critical security
update to Firefox, taking a third shot at patching bugs in the way the browser
can be used to launch programs from Web links.
rated 'moderate' by Mozilla, lies in the URI (Uniform Resource Identifier) protocol
handling technology that is used to launch programs -- an e-mail client for
example -- from within the browser. Over the past few months, security researchers
have been discovering an increasing number of ways that this technology can
be misused, often as a way to install unauthorized software on a victim's computer.
The URI patch is one of eight security bug-fixes that Mozilla has pushed out
with the 184.108.40.206
update, released late Thursday.
Mozilla developers originally thought that the issue lay within Microsoft Corp.'s
Internet Explorer software, which could be invoked in a malicious fashion via
Firefox. Several days after issuing their first patch, however, they realized
that there was a problem with Firefox as well, and rushed out the 220.127.116.11 update.
Now, three months after that fix, they've patched another URI bug in Firefox
that will cut down on the likelihood of programs being launched maliciously
through the browser. The 18.104.22.168 release "did not prevent the incorrect
file-handling programs from launching which left some risk," Mozilla said
in its advisory.
"An additional fix has been applied to Firefox 22.214.171.124 that detects when
Windows would mishandle these URIs so that the wrong program does not get launched."
Mozilla developers weren't certain that this latest
twist on the URI problem could really be exploited in Firefox, but they
decided to issue this latest URI patch rather than wait to find out for certain,
said Window Snyder, Mozilla's security chief. "We could just say this particular
vector is not an issue because we do not have proof," she wrote in an e-mail.
"We could leave it alone. Rather than spend our time analyzing whether
this is a vector that could be vulnerable we would rather put the block in place
and eliminate the possibility. This is a defense-in-depth measure."