Firefox tries again for URI fix
- — 20 October, 2007 08:06
Mozilla has released a critical security update to Firefox, taking a third shot at patching bugs in the way the browser can be used to launch programs from Web links.
The bug, rated 'moderate' by Mozilla, lies in the URI (Uniform Resource Identifier) protocol handling technology that is used to launch programs -- an e-mail client for example -- from within the browser. Over the past few months, security researchers have been discovering an increasing number of ways that this technology can be misused, often as a way to install unauthorized software on a victim's computer.
The URI patch is one of eight security bug-fixes that Mozilla has pushed out with the 188.8.131.52 update, released late Thursday.
Mozilla developers originally thought that the issue lay within Microsoft's Internet Explorer software, which could be invoked in a malicious fashion via Firefox. Several days after issuing their first patch, however, they realized that there was a problem with Firefox as well, and rushed out the 184.108.40.206 update.
Now, three months after that fix, they've patched another URI bug in Firefox that will cut down on the likelihood of programs being launched maliciously through the browser. The 220.127.116.11 release "did not prevent the incorrect file-handling programs from launching which left some risk," Mozilla said in its advisory. "An additional fix has been applied to Firefox 18.104.22.168 that detects when Windows would mishandle these URIs so that the wrong program does not get launched."
Mozilla developers weren't certain that this latest twist on the URI problem could really be exploited in Firefox, but they decided to issue this latest URI patch rather than wait to find out for certain, said Window Snyder, Mozilla's security chief. "We could just say this particular vector is not an issue because we do not have proof," she wrote in an e-mail. "We could leave it alone. Rather than spend our time analyzing whether this is a vector that could be vulnerable we would rather put the block in place and eliminate the possibility. This is a defense-in-depth measure."
Microsoft has said that it plans to patch underlying components in the Windows operating system, in an effort to prevent URI protocol handler attacks, and that will probably go a long way in preventing new attacks from cropping up, said Andrew Storms, director of security operations, with nCircle Network Security. "We have to applaud the Mozilla team for attempting to protect their users, but in the end it's going to be a Microsoft responsibility," he said.
Of the eight vulnerabilities patched Thursday, two are rated critical by Mozilla.
The 22.214.171.124 release also adds support for Apple's Mac OS X 10.5 operating system, code-named Leopard, although Mozilla warns "there are some known issues affecting some media plugins," on this platform.