Microsoft v Mozilla browser flaw war escalates

Browser makers and security researchers are still pointing fingers in the strange case of the zero-day browser vulnerability that lets hackers exploit Firefox when surfers are using Internet Explorer.

Share

Browser makers and security researchers are still pointing fingers in the strange case of the zero-day browser vulnerability that lets hackers exploit Firefox when surfers are using Internet Explorer.

Microsoft said it sees no need to patch Internet Explorer, while Mozilla said it will issue a fix for Firefox, even though it blames Microsoft for the problem.

Researchers started arguing earlier this week over a bug that allows attacks against IE users, but only if they have Firefox installed. Thor Larholm blamed IE, and said that while Firefox registers the FirefoxURL protocol used in the proof-of-concept exploits, Mozilla's browser was an innocent bystander.

"There is an input validation flaw in Internet Explorer," said Larholm. Specifically, he said that IE fails to escape quotation marks, as well as other characters, such as commas.

"Internet Explorer is to blame for not escaping 'quote' characters when passing on the input to the command line," Larholm said. "I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications."

Other security experts, including Thomas Kristensen, chief technology officer at Danish vulnerability tracker Secunia, said otherwise. "This is in fact not an IE issue, it is a Firefox issue," Kristensen claimed.

Find your next job with computerworld UK jobs