Mozilla, maker of open source Web browser application Firefox, released a new version of the program that fixes a security issue stemming from an interaction between Microsoft’s Internet Explorer (IE) and Firefox. Version 2.0.0.5 of Firefox was made available for download on Wednesday.
The problem — first reported by security firm Secunia — arises on computers that have both IE and Firefox installed. When a user browses Web sites using IE, malicious code can be sent to Firefox and, notably, other programs on the user’s computer.
Mozilla, in its security blog, called on Microsoft to patch the hole on the IE side. For its part, though, Mozilla states that “[t]his patch for Firefox prevents Firefox from accepting bad data from Internet Explorer.”
Explorer Running, Firefox Vulnerable
The problem centers on malicious Javascript code that can be sent from IE to Firefox through arbitrary command line arguments, Secunia describes. Firefox does not have to be running for the code to be transmitted, just installed on the same computer as IE. When a user clicks on links at a malicious Web site, the hole can be exploited without the user’s knowledge.
Mozilla has taken pains to point out that the problem cannot occur when using Firefox to browse the Web and that it is not aware of attackers taking advantage of the vulnerability. It also notes in its security blog that “[a] similar interaction between Safari and Firefox was reported earlier and fixed by Apple.”
The blog entry announcing the fix and calling on Microsoft to repair the problem from its side was authored by Window Snyder, chief security officer for Mozilla. It is the only comment that Mozilla is making publicly about the matter, Mozilla spokesperson Steve Naventi told LinuxInsider.
Not Just Firefox
Media coverage of this security concern has focused on Firefox, perhaps due to the fierce competition between the IE and Mozilla browsers. The vulnerability, though, exists in a wide range of programs that will accept executable code from IE, according to sources in the security community.
The issue has indeed been fixed from the Firefox side, but a hole remains open from the IE point of view, Danish programmer and self-described hacker Thor Larholm noted in a Wednesday blog entry.
“I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) — just to name a few,” he said.
Finger-Pointing Game
Of course, having two applications involved in one security issue makes for ample finger-pointing room. The blogosphere is rife with diatribes assigning blame alternately to Microsoft and Mozilla on the problem.
The fault, though, lies with both, according to Chenxi Wang, principal analyst with Forrester Research.
“This is really a gray area,” she told LinuxInsider. Microsoft should be vigilant about what IE passes on to other programs, she asserted. On the other hand, all programs — Firefox included — are responsible to protect themselves against potentially malicious input.
“This issue does highlight the importance of investigating your trust model and your assumptions,” Wang said. “I bet the Firefox designers did not envision such an attack when they decided to allow arbitrary parameters to be passed from IE, or any other Windows application. Many security attacks happen because of misplaced assumptions, and this is one of them.”