Article

Warning issued over unpatched Firefox flaw

Robert Westervelt, News Director

An input validation error in Mozilla Firefox can be exploited on Microsoft Windows computers that contain the latest version of Internet Explorer. Once successfully exploited an attacker can gain access to the machine.

The flaw was discovered by independent security researcher Billy Rios, who said in an update on his blog

    Requires Free Membership to View

that the vulnerability is delivered through the Firefox browser.

"You simply have to have IE7 installed somewhere on your system for this to work (which is basically most WindowsXP Sp2 systems)," he said.

Danish vulnerability clearinghouse Secunia rated the flaw "highly critical" in its 26201 advisory Thursday because attackers could exploit it remotely. Secunia said users must visit a malicious website in order for the flaw to be exploited successfully.

"The vulnerability is caused due to an input validation error within the handling of system default URIs with registered URI handlers (e.g. "mailto", "news", "nntp", "snews", "telnet," Secunia said in its advisory.

Secunia said the vulnerability is confirmed on a fully patched Windows XP SP2 and Windows Server 2003 SP2 system using Firefox version 2.0.0.5 and Netscape Navigator version 9.0b2.

The United States Computer Emergency Readiness Team (US-CERT) also issued a US-CERT 783400 advisory, warning that Mozilla Firefox fails to properly filter input when sending certain URIs to registered protocol handlers.

"This vulnerability may allow a remote, authenticated attacker to execute commands on a vulnerable system," the agency said in its advisory.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: