Security Bytes

Jul 17 2008   9:00AM GMT

Mozilla plugs protocol handling flaw

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Tags:

Mozilla FirefoxMozilla upgraded Firefox this week to plug a flaw that could allow an attacker to bypass security and open URIs using the Firefox command line interface.

The protocol handling errors were discovered by security researcher Billy Rios. Mozilla released Firefox 3.0.1 and Firefox 2.0.0.16.

Rios said an attacker can pass the URI from a remote Web page to FireFox.exe.

Mozilla said URIs pose a danger by allowing an attacker to read data or place a malicious file on the victim’s hard drive.

“This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack,” Mozilla said in its advisory.

Rios also discovered a flaw in the Opera browser, which has been fixed. In both cases, Rios said the browser security teams worked quickly and took the threats seriously.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: