Despite Mozilla's recent Firefox security update, two researchers warn that there's another way attackers could...
exploit the popular browser for malicious purposes.
Researchers Billy Rios and Nate McFeters, who attracted recent attention with their warnings about the multi-browser Uniform Resource Identifier (URI) protocol handling flaw, claim to have discovered a new way for attackers to exploit Firefox to push malware onto targeted machines via the users' browsers.
"Nate and I have discovered a way to exploit a common handler with a single unexpected URI," Rios wrote in his blog. "So, it seems that although the conditions which allowed for remote command execution in Firefox 18.104.22.168 have been addressed with a security patch, the underlying file type handling issues which are truly the heart of the issue have not been addressed."
The researchers said they've contacted Mozilla and that "they are working on it." For now, Rios said, he and McFeters will refrain from giving out the exact details of how this latest flaw is executed.
The Mozilla Foundation released Firefox version 22.214.171.124 in late July to address the URI flaw. At the time, Rios, said an input validation error could be delivered through the Firefox browser, enabling full access to the machine. "You simply have to have IE7 installed somewhere on your system for this to work (which is basically most WindowsXP Sp2 systems)," he wrote in his blog at the time.
The flaw disclosure, made around the time researchers were descending on Las Vegas for the Black Hat USA 2007 Briefings, contributed to a tough week for Mozilla. During the Black Hat proceedings, Mike Shaver, one of the founders of the Mozilla project and currently the director of ecosystem development, handed Robert Hansen [aka Rsnake] a business card with the words "Ten [expletive deleted] Days" on it, after reportedly telling Hansen Mozilla could fix any flaw in that amount of time. Hansen posted a photo of the card on his blog and wrote an account of the conversation, in which he said, "I'm not going to comment on my personal feelings on this matter except to say that I'd love to see Mozilla back up their promise."
Mozilla security chief Window Snyder then took to the Mozilla blog to deny the 10-day claim. "This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums," she wrote. "We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure."
The controversy also erupted as Snyder was trying to play up significant security upgrades in the next major release of Firefox designed to protect users from both attackers and from themselves.
She said those improvements will include new anti-phishing and anti-malware capabilities designed to prevent users from endangering themselves by visiting malicious sites.
Executive Editor Dennis Fisher contributed to this report.