Secunia finds critical flaw in Firefox 2.0.0.4

Posted on Tuesday, Jul 10 2007 @ 19:18 CEST by Thomas De Maesschalck
Security firm Secunia reports they've find a critical vulnerability in Firefox which can be used to comprise a user's system.

The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.

The vulnerability was found on a fully patched Windows XP SP2 system with Firefox 2.0.0.4, other versions may also be affected.

A temporary fix is to disable the "Firefox URL" URI handler but instructions on how to do this aren't provided.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments