[AI] Mozilla Admits Firefox Has Same Flaw as IE

Vikas Kapoor dl.vikas at gmail.com
Wed Jul 25 10:14:34 EDT 2007


Mozilla Admits Firefox Has Same Flaw as IE
Mozilla chief security officer says Firefox has the same flaw that the company called a "critical vulnerability" in IE, patch is in the works.
Gregg Keizer, Computerworld

Tuesday, July 24, 2007 9:00 AM PDT

wledged Monday that Firefox includes the same flaw that the company called a "critical
vulnerability" in Internet Explorer during a two-week ruckus over responsibility for a Windows zero-day bug.

"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point," said 
Window Snyder
 of Mozilla. "While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.

"We thought this was just a problem with IE," Snyder continued. "It turns out, it is a problem with Firefox as well."

The 
argument
 over responsibility for a flaw that involved both IE and Firefox began two weeks ago, when Danish researcher Thor Larholm argued that IE contained an input
validation bug that passes potentially malicious URLs to other applications. Larholm called out Firefox's "firefoxurl://" protocol as one that IE mishandled.
He staked out the position that IE was to blame, while other security experts said it was Firefox's fault.

As fingers pointed, Mozilla 
patched
 the IE-Firefox interaction bug by releasing an update, Version 2.0.0.5. Even so, Snyder and others continued to argue that IE was the problem. "Microsoft
needs to patch Internet Explorer," Snyder 
said
 last Wednesday. That same day, Asa Dotzler, director of community development, contrasted what he said were the differences between Microsoft and Mozilla
on the bug. "We think it's Firefox's job to ensure that users are protected from malicious Web sites when they're surfing the Web in Firefox. Apparently,
Microsoft doesn't think the same for IE," Dotzler 
said
 then.

Friday, Jesper Johansson, a former Microsoft security strategist but now a security program manager at Amazon.com Inc., spelled out how Firefox was as guilty
as IE of failing to validate input. In a post that leaned on the metaphor of "glass houses," Johansson showed how Firefox passes potentially malicious
URLs to other applications, including the multiple-service instant messaging client Trillian. "Firefox is subject to the exact same flaw that they blame
on IE. Firefox also does not escape quotes in URLs before it passes them on to protocol handlers," he said.

Snyder did not credit Johansson by name for alerting Mozilla to the Firefox bug, but she admitted that the flaw should have been spotted. "We should have
caught this scenario when we fixed the related problem in 2.0.0.5," she said.

She did not specify when a patch would be issued, but one is in the works, according to an 
entry
 in Bugzilla.

http://www.pcworld.com/article/id,135013-pg,1/article.html

Vikas Kapoor,
MSN Id:dl_vikas at hotmail.com, Yahoo+Skype Id: dl_vikas,
Mobile: (+91) 9891098137.


More information about the AccessIndia mailing list