Ravens PHP Scripts

Firefox and IE together brew up security trouble
Date: Tuesday, July 10, 2007 @ 20:37:19 CEST
Topic: Security

Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.

"It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm, in response to a reader's comments. "I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications."

News Source

This article comes from Ravens PHP Scripts

The URL for this story is: