Feeds

Mozilla confirms own URL handling bug

'Turns out it's a problem with Firefox as well'

Build a business case: developing custom apps

The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker.

In early July, three researchers found a way to execute code in Firefox - and potentially other Windows programs - by passing it a malicious uniform resource identifier (URI) from Internet Explorer.

The discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued that IE should validate the URI before passing it along to another program, while Microsoft stated that input validation is the responsibility of the receiving program.

Over the weekend, another researcher discovered that Mozilla Firefox has the same security issue. The Mozilla Foundation acknowledged the problem on Monday.

"We thought this was just a problem with IE," Mozilla's chief security officer Window Snyder said in a blog post. "It turns out, it is a problem with Firefox as well."

In the latest versions of their products, Microsoft and the Mozilla Foundation have focused on security. In Internet Explorer 7, Microsoft added anti-phishing features, the ability to run in protected mode on its latest operating system, Windows Vista, and severely culled problematic ActiveX controls. In Firefox 2.0, the Mozilla Foundation also added anti-phishing features and the ability to clear private data.

Mozilla is now looking into the issue to determine its response to the problem.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.