NOW READ THIS
("Security Advisory")
| Go Back |
Submitted by: Bill Hickey
NCVA List Master
NRT-0295 Firefox Vulnerable:
Even though it was patched twice in July, a pair of security researchers say Firefox remains vulnerable to attacks exploiting protocol-handling bugs. The researchers, who spelled out design and functionality vulnerabilities in Windows' Uniform Resource Identifier (URI) protocol handling as recently as mid-August, said that they have uncovered another way hackers could send malicious code to users via browsers. Once again, these URI payloads can be passed by the mailto, nntp, news, and snews URIs, allowing us to pass the payload without any user interaction. They said although the conditions that allowed for remote command execution in Firefox 2.0.0.5 have been addressed with a security patch, the underlying file type halding issues that are truly the heart of the issue have not been addressed. The researchers did not divulge technical details of how an attacker could exploit the newfound URI flaws, saying that they are giving Mozilla's security team time to plug the hole.
(ComputerWorld 04SEP07)