Management
Technology
- Applications
- Business Intelligence
- Development
- Hardware
- Mobile & Wireless
- Networking
- Internet
- Operating Systems
- Security Products
- Servers & Datacentre
- Storage
Toolbox
Training
Books
White Papers
Webcast
Resource Centre
July 13, 2007
Microsoft v Mozilla browser flaw war escalates
Bug lets Internet Explorer attack Firefox, researchers say.
By Gregg Keizer
Browser makers and security researchers are still pointing fingers in the strange case of the zero-day browser vulnerability that lets hackers exploit Firefox when surfers are using Internet Explorer.
Advert
Microsoft said it sees no need to patch Internet Explorer, while Mozilla said it will issue a fix for Firefox, even though it blames Microsoft for the problem.
Researchers started arguing earlier this week over a bug that allows attacks against IE users, but only if they have Firefox installed. Thor Larholm blamed IE, and said that while Firefox registers the FirefoxURL protocol used in the proof-of-concept exploits, Mozilla's browser was an innocent bystander.
"There is an input validation flaw in Internet Explorer," said Larholm. Specifically, he said that IE fails to escape quotation marks, as well as other characters, such as commas.
"Internet Explorer is to blame for not escaping 'quote' characters when passing on the input to the command line," Larholm said. "I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications."
Other security experts, including Thomas Kristensen, chief technology officer at Danish vulnerability tracker Secunia, said otherwise. "This is in fact not an IE issue, it is a Firefox issue," Kristensen claimed.
Jump to page : [ 1 ] [ 2 ]
Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!
« prev article | more internet news | next article »
Advert
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
- This article is now being printed.
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.
Click below to add 'Microsoft v Mozilla browser flaw war escalates - Internet Applications - ComputerworldUK' to your blog.
If you do not have a ComputerworldUK Account and would like to use this feature, please Register.
If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.
Advert
Newsletters
Your daily injection of CW news and expert analysis: we’ll bring the news to you.
WHITE PAPERS
-
Legal risks: Employee use of the internet and email
Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees. -
Phishing for victims
This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
Comments received
Biju said on Monday, 16 July 2007
Security Researchers blamed firefox for shell url/protocol vulnerability, if you agree Firefox is the culprit that time then this time the culprit should be IE.
In case of shell url the culprit was how OS handled.
And now for FirefoxURL, the problem is really how windows handle parameter subsitiution.
Currently on MS-Windows you can trick an application ("A" sender) to send multiple parameters another protocol handler application ("B" - recipient) when "A" was thinking it is sending only a single URL.
This is done using adding extra double quotes is URL.
Till the time MS fix this dangerous bug at OS level any "sender" application should cleanup all the quotes in URL before sending. These sender are not limited to webbrowsers (IE,Firefox, Opera, Safari ...), it can any E-Mail client, IM (like AOL, MSN, Yahoo, Google... Messengers)
Also programers of any "recipient" application needed to be aware of this OS flaw. Again "recipient" applications are not limited to just browsers.
J.James said on Sunday, 22 February 2009
I'm by no means an expert but I'm a user of both firefox and IE. However, whenever I try to download anything on firefox my computer gets confused. IE was first on my comp and it seems first come, first served. Yet when IE had problems in Dec 08 and Jan 09, only firefox could serve, via still, convaluted routes; difficult for a novice, but it's apparent that some kind of obstruction war is occuring. Solutions? Look what happened with banks when only self interest was paramount.
J.James said on Sunday, 22 February 2009
I'm by no means an expert but I'm a user of both firefox and IE. However, whenever I try to download anything on firefox my computer gets confused. IE was first on my comp and it seems first come, first served. Yet when IE had problems in Dec 08 and Jan 09, only firefox could serve, via still, convaluted routes; difficult for a novice, but it's apparent that some kind of obstruction war is occuring. Solutions? Look what happened with banks when only self interest was paramount.