RSSMozilla Fixes Firefox Protocol Handling
By Scott M. Fulton, III | Published July 31, 2007, 2:10 PM
This morning, Firefox 2.0 users were automatically notified of the availability of version 2.0.0.6, with the promise that this time around, a critical vulnerability concerning how the browser tries to parse malformed resource identifiers, is fixed for good.
In its security advisory this morning, Mozilla credited Windows security expert Jesper Johansson for articulating the original problem, which has hopefully led to this final solution.
"Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling," the advisory reads, "which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 2.0.0.4 and older could be used to run arbitrary script."
While Mozilla's admission was arguably gracious and sincere, there's a rational debate in the developer community over whether the real problem was caused by either major brand of Web browser -- Firefox or Internet Explorer -- or rather by the underlying Windows operating system which passes on the malformed argument in the first place.
Yesterday, the US-CERT bureau of the Dept. of Homeland Security indicated that Microsoft's handling of the ShellExecute() API function, which was changed in systems where IE7 is installed, may be the true culprit. The implication there is that a danger may continue to exist so long as that critical function can pass non-standard parameters to programs it's trying to launch, such as Web browsers.
The advisory then credits VeriSign security consultants Billy Rios and Nate McFeders for discovering that, when Firefox received a ShellExecute() call to the mailto:// URI identifier that included an officially disallowed null (%00) parameter, rather than launch the default mail client, Firefox would launch whatever application was responsible for the filename extension at the end of the URI.
Starting with version 2.0.0.6, Firefox will no longer launch external protocol handler applications without first asking the user. In the event that the site placing the external launch call isn't trusted, it won't launch any programs at all.
The exception is for the mailto:// protocol, where Firefox will launch the preferred mail client without asking the user. The advisory gives users a workaround, which involves editing the program's about:config page, for having Firefox ask the user before launching the mail client.
Or at least until it breaks again!
---> is fixed for good
Score: 0
|This browser requires patches on a daily basis,I wonder could this be a sign.Yes friends, Opera is the way to go.
Score: 0
|Opera is a fine browser, but Firefox renders pages way faster than it.
Score: 0
|I'm cool with Firefox being updated on a regular basis. At least Mozilla recognizes these problems and fixes them fairly quicky, even if it does mean having to update twice in two weeks.
Anyways, I won't switch browsers just because it "requires patches on a daily basis."
Score: 0
|Oh for crying out loud...so it gets patched daily - at no cost to you...
Deal with it!
If you don't like something then don't use it.
Don't even get me started on Opera...its java implementation sucks and it doesnt have as many options/plugins as most other popular browsers (see, do not like it when people bash your favorite product do ya?). That being said, Opera is pretty zippy due to its small size and lack of plugins - right now its off most exploiters radar due to its minimal popularity.
Score: 0
|Canadian English is hard to understand. ^_^
I've updated my Firefox. I think its name should be changed to Firefix. ~~~~~~
Score: 0
|I think you mean about:config on the last line, not about:.
Score: 0
|I've always wonder if they use the Canadian spelling of that up north...
Is it "aboot:config"? :p
Score: 0
|