News Stay informed about the latest enterprise technology news and product updates.

A zero-day for Internet Explorer or Firefox?

Typically, Microsoft-based zero-day flaws are disclosed the day after Patch Tuesday. This month, however, claims are circulating about a new one on the very day of Microsoft’s July patch release. But opinions are mixed on whether this is really a problem for Internet Explorer or Mozilla Firefox.

Researchers Billy (BK) Rios, Nate Mcfeters, Raghav “the Pope” Dube and Thor Larholm are all reporting an issue affecting one or both browsers.

Larholm had this to say in his blog:

“There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols. This is the same type of input validation vulnerability that I discovered in the Safari 3 beta (see Safari for Windows, 0day exploit in 2 hours). When Firefox is installed it registers a URL protocol handler called FirefoxURL. When Internet Explorer encounters a reference to content inside the FirefoxURL URL scheme it calls ShellExecute with the EXE image path and passes the entire request URI without any input validation.”

Symantec says an attacker can exploit this to carry out cross-browser scripting attacks by using the ‘-chrome’ argument. This can allow attackers to run JavaScript code with the privileges of trusted Chrome context that has full access to Firefox’s resources.

Exploiting the issue would permit a remote attacker to influence command options that can be called through the ‘FirefoxURL’ handler and therefore execute commands and script code with the privileges of a user running the applications, Symantec adds.

In an email to, Secunia CTO Thomas Kristensen said his firm tested the flaw and found that it’s a problem for Firefox and not Internet Explorer.

“Since Firefox, a new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the “firefoxurl://” URI was called (like ftp://, http://, or similar would call other applications),” he wrote. “However, the way in which the URI handler was registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when firefoxurl:// is activated. Due to the implementation of the “-chrome” parameter, it became possible to inject code that would be executed within Firefox.”

That’s a lot of technical detail, but the simple thing for users to remember is that they shouldn’t browse untrusted Web sites.

Technorati Tags: , , , , ,

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.