Firefox and IE together brew up security trouble

By noroom, 11 July 2007 - 17:02  64 comments

Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.

Earlier Tuesday, security researcher Thor Larholm, who discovered the IE flaw, and security research giant Symantec put much of the blame on IE, while Secunia's Thomas Kristensen, chief technology officer, attributed the problem to Firefox versions 2.0 or later. "It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

View: Full Story
News source: News.com

1Liked This Report a problem
  • Digg
  • Twitter
  • Facebook
  • Email

Comments (64)

  1. RyanVM - 11 July 2007 - 17:09

    FWIW, the Mozilla crew checked in a fix for this bug to their source tree last night and it appears that they're going to be accelerating the release of 2.0.0.5 in order to get this patched ASAP.

  2. RyanVM - 11 July 2007 - 18:50

    To reply to myself, it appears that they're targeting next Thursday for getting a final 2.0.0.5 build pushed out with this fix included.
    http://wiki.mozilla.org/Firefox:2.0.0.5

  3. yizuman - 16 July 2007 - 17:36

    RyanVM said,
    FWIW, the Mozilla crew checked in a fix for this bug to their source tree last night and it appears that they're going to be accelerating the release of 2.0.0.5 in order to get this patched ASAP.

    What ticks me off is that they ANNOUNCE the bug in PUBLIC, thus making hackers aware of the exploit and try to use ASAP before the new patch is issued.

    Another thing is that they are being FORCED to accelerate the release of the patch rather making sure that the patch is BUG FREE, if all possible. I rather that the developers do a right job on a patch rather than a hastily done patch that could later result more problems.

    /off soap box

  4. 8-n-1 - 16 July 2007 - 21:10

    yizuman said,
    What ticks me off is that they ANNOUNCE the bug in PUBLIC, thus making hackers aware of the exploit and try to use ASAP before the new patch is issued.

    So you'd rather that the hackers already know about this and tell each other about it, but that the general public has no idea that they're in danger?

  5. EduardValencia - 11 July 2007 - 17:14

    Well so if i have IE 7 and firefox 2.0.0.4 Installed,i'm vulnerable?

  6. matty13 - 11 July 2007 - 17:15

    EduardValencia said,
    Well so if i have IE 7 and firefox 2.0.0.4 Installed,i'm vulnerable?

    Either IE7 or Firefox 2.0+ is vunrable.

  7. RyanVM - 11 July 2007 - 18:52

    As was mentioned further down, for this exploit to work, you have to be browsing the malicious site in IE with Firefox closed at the time. I understand that some people still need to use IE for certain sites, but I'd really hope that doesn't include the types of sites where these exploits are more likely to appear :P.

    For that reason, while I think this exploit is nasty, I think it'll largely end up not being exploited very much.

  8. HawkMan - 11 July 2007 - 20:36

    Or maybe some peopel installed FF, realizd it's crap, and just continued using IE without uninstalling FF.

  9. ThaCrip - 12 July 2007 - 01:04

    RyanVM said,
    As was mentioned further down, for this exploit to work, you have to be browsing the malicious site in IE with Firefox closed at the time. I understand that some people still need to use IE for certain sites, but I'd really hope that doesn't include the types of sites where these exploits are more likely to appear :P.

    For that reason, while I think this exploit is nasty, I think it'll largely end up not being exploited very much.

    i aint worried about this much myself since i almost never use IE besides for windows updates pretty much.

    but it's nice to know they going to patch it asap

  10. Fubar - 11 July 2007 - 17:20

    shame i cant completely remove internet explorer from my comp

  11. sCrAtCh420th - 11 July 2007 - 17:26

    Fubar said,
    shame i cant completely remove internet explorer from my comp

    i sure did with vista

  12. Samboini - 11 July 2007 - 17:55

    I debated it but on rare occasions I will visit a site that only supports IE, so can't do it

  13. kheldorin - 11 July 2007 - 18:29

    Fubar said,
    shame i cant completely remove internet explorer from my comp

    What has that got to do with the vulnerability? The exploit happens when you browse using IE and have firefox installed.

  14. Cryingcure - 11 July 2007 - 18:31

    sCrAtCh420th said,

    i sure did with vista :)

    Good for you. You have any idea the security holes you opened up in doing that?

    Smooth move

  15. HawkMan - 11 July 2007 - 20:37

    I don't think he does, because removing IE would be removing explorer, wich would leave him without a windows shell... does litestep work on Vista ?

  16. WDGC - 11 July 2007 - 22:15

    kheldorin said,

    What has that got to do with the vulnerability? The exploit happens when you browse using IE and have firefox installed.

    Well ... if IE has been removed it can hardly be used for browsing, can it?

  17. TRC - 12 July 2007 - 02:22

    HawkMan said,
    I don't think he does, because removing IE would be removing explorer, wich would leave him without a windows shell... does litestep work on Vista ? :p

    You did know that IE was separated from the Explorer shell in Vista didn't you? I guess not.

  18. faraaz - 12 July 2007 - 07:26

    WDGC said,

    Well ... if IE has been removed it can hardly be used for browsing, can it?

    you dont need IE removed, just dont run it

  19. RealFduch - 13 July 2007 - 02:38

    You did know that IE was separated from the Explorer shell in Vista didn't you? I guess not.

    But if you really remove IE, you'll lose help, WMP, and many other features.
    Completely removing IE is a bad paranoia that damages system.

  20. MioTheGreat - 11 July 2007 - 18:00

    Under protected mode IE, attempting to do a firefoxurl:// will cause a popup dialog, informing you that it's trying to launch an external program....

Please Log In or Register to post a comment.

Report Comment

Please enter your reason for reporting this comment.

Scenes

Change the look of the header to suit your taste, below are a few selections from Neowin. Just click on a scene to set it as your preference. You may also Submit your own scene.

We respect copyright, if you are the owner of any images please contact us to get it removed.