Firefox and IE together brew up security trouble

Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.

Earlier Tuesday, security researcher Thor Larholm, who discovered the IE flaw, and security research giant Symantec put much of the blame on IE, while Secunia's Thomas Kristensen, chief technology officer, attributed the problem to Firefox versions 2.0 or later. "It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

View: Full Story
News source: News.com

Report a problem with article
Previous Story

Adobe Flash Player 9.0.47.0

Next Story

XBOX 360 Halo 3 Edition unveiled

60 Comments

Commenting is disabled on this article.

So unfortunately we have a clash here of Opera, Internet Explorer, Firefox and the rare seen Safari fans.

You guys need to understand the causes of the problem, which is, WINDOWS. You see, Internet Explorer has the URI Handler activated because Internet Explorer IS the Windows Explorer shell.

Now, before pointing fingers to anyone, Firefox HAS NO RESPONSIBILITY over a WINDOWS flaw that they didn't knew about.

Firefox and Opera are GOOD web browsers. The problem, with Internet Explorer, is that by the time it was made, it was an premature piece of software released to have more features than bug fixes, which isn't the case related to Opera or Firefox issues (read: THE BUGFIX IS GOING TO GET RELEASED NEXT WEEK). I DARE YOU to point when INTERNET EXPLORER had this kind of SUPPORT.

Recently, now that Firefox (and Opera) were taking over the Web Browser's market share, Internet Explorer has become active again, releasing a "nicer" GUI for their browser (the tabs, animations, and everything's nice) but it still isn't compliant with PNG transparencies, not even CSS1!

If you people have a true sense of logic, grab these browsers: Opera, Firefox and (sadly, included in your Windows system) Internet Explorer, and THEN compare them.

People in my company migrated their ActiveX system to a faster and more secure AJAX interface, because they knew about Internet Explorer flaws.

Now, bring on the trolls and flames, I know this place is popular because of the eternal FUD and (most of the) statements that only could brew a 10-yo child.

Thanks for your time

Azmodan said,
So unfortunately we have a clash here of Opera, Internet Explorer, Firefox and the rare seen Safari fans.

You guys need to understand the causes of the problem, which is, WINDOWS. You see, Internet Explorer has the URI Handler activated because Internet Explorer IS the Windows Explorer shell.

Now, before pointing fingers to anyone, Firefox HAS NO RESPONSIBILITY over a WINDOWS flaw that they didn't knew about.

Been drinking? This is a flaw in FIREFOX ALONE. Firefox should properly parse it's command line arguments, or register an association that DOESN'T allow arbitrary parameters to be submitted (i.e. use DDE like you're meant to).

Allow me to rephrase what you said:

You guys need to understand the causes of the problem, which is, FIREFOX. You see, Internet Explorer has the URI Handler activated because Internet Explorer IS the Windows Explorer shell. [[I tried to reverse this, but it didn't make sense to start with]]

Now, before pointing fingers to anyone, Firefox HAS ALL RESPONSIBILITY over a FIREFOX flaw that they didn't knew about.

and u don't even have to use it for windows update.
u got Autopatcher. or u can allow windows update to download from the background.

Well if I installed Firefox 2.0 on my computer, it was to use it as my primary browser, so I wouldn't worry about using IE anytime soon to access Firefox resources. The only time IE gets use is with Windows Update.

internetworld7 said,

A patch from a site frequented by Al-Qaeda? No thanks but I agree with you concerning Opera.

Do you think that a website hosting this gallery has something to do with Al-Qaeda? You have so much wrong thoughts about my country. I know that the patch does not harm the system. Here is the VirusTotal scan result..

4tehlulz said,
lol racism
Are you serious? People who don't support Al Qaeda are racists? I suppose that's one way of looking at things. Or they might, I don't know, disapprove of a group of people whose sole purpose is to destroy their way of life and impose theirs upon them.

Honestly, of all the things you could have said, you chose RACISM?

RyanVM said,
Are you serious? People who don't support Al Qaeda are racists? I suppose that's one way of looking at things. Or they might, I don't know, disapprove of a group of people whose sole purpose is to destroy their way of life and impose theirs upon them.

Honestly, of all the things you could have said, you chose RACISM?

Obviously, you didn't get the point. I think what he calls racism is labelling all the nation as Al Qaeda supporters.

borkenek said,
Obviously, you didn't get the point. I think what he calls racism is labelling all the nation as Al Qaeda supporters.

+1 for reading comprehension.

4tehlulz said,

+1 for reading comprehension.

Labelling a group is called stereotyping. Racism is when you think one race (usually your own) is better than others.
Yes no?

if you use hitman pro it will put the browsers into a lower rights mode so if something like this happens you are safe,also under firefox if you use the no script extension you get extra protection and if you use firefox then run the ietab extension so you can run ie in firefox for those certain sites=safety.as long as you keep up with security your fine and watch what you do these things will never get you.all get hitman pro and protect urselves.

GTFO

most people dont use opera for more reasons then that.
and why would i have FF installed and browse with IE? chances are you dont....unless you need to use IE for a windows site or another 'safe' site.

Berserk87 said,
GTFO

Yeah, that's mature. Way to handle your emotions when someone even mentions a browser that doesn't happen to rhyme with Firefox. Deal with someon else's opinion, or convince them to see your light. Don't be a troll.

Berserk87 said,
most people dont use opera for more reasons then that.

Really? Well that was specific. And on that subject, more reasons than what? The other guy never gave anybody a reason not to use Opera, he simply stated that Opera was the fastest and safest web browser. Which is completely true. Deal with it.

Berserk87 said,
and why would i have FF installed and browse with IE? chances are you dont....unless you need to use IE for a windows site or another 'safe' site.

Uh, so what you're saying is...nothing. There's IE only pages, so that's why you would use it. Why would you ask a stupid question that you can obviously answer yourself within 2 seconds?

Guess I'd better uninstall Internet Explorer then. Oh wait... I'm dumb! I don't know how to uninstall Windows features!! Oh wait. I don't know how to use my competer!!! HELP MEEEE!!!

FIXED FOR TEH TRUTH!

toadeater said,
IE should be classified as malware.
Hey, toadeater! Haven't seen one of your posts for a while!

You should post more; this place is just too boring without you! :nuts:

NoScript seems to have that covered.

v 1.1.4.9.070622
=====================================================================
+ Full anti-XSS protection for every trusted URL opened from external
applications
+ Protection against all the currently known cross-browser exploits
targeting Firefox (Larholm, Rios, MacManus...)

Under protected mode IE, attempting to do a firefoxurl:// will cause a popup dialog, informing you that it's trying to launch an external program....

kheldorin said,
And under firefox 2.0.4, you get another confirmation dialog. Not sure about earlier versions.

You mean 2.0.0.4, not 2.0.4.

Fubar said,
shame i cant completely remove internet explorer from my comp

What has that got to do with the vulnerability? The exploit happens when you browse using IE and have firefox installed.

sCrAtCh420th said,

i sure did with vista :)

Good for you. You have any idea the security holes you opened up in doing that?

Smooth move

I don't think he does, because removing IE would be removing explorer, wich would leave him without a windows shell... does litestep work on Vista ?

kheldorin said,

What has that got to do with the vulnerability? The exploit happens when you browse using IE and have firefox installed.

Well ... if IE has been removed it can hardly be used for browsing, can it?

HawkMan said,
I don't think he does, because removing IE would be removing explorer, wich would leave him without a windows shell... does litestep work on Vista ? :p

You did know that IE was separated from the Explorer shell in Vista didn't you? I guess not.

You did know that IE was separated from the Explorer shell in Vista didn't you? I guess not.

But if you really remove IE, you'll lose help, WMP, and many other features.
Completely removing IE is a bad paranoia that damages system.

FWIW, the Mozilla crew checked in a fix for this bug to their source tree last night and it appears that they're going to be accelerating the release of 2.0.0.5 in order to get this patched ASAP.

RyanVM said,
FWIW, the Mozilla crew checked in a fix for this bug to their source tree last night and it appears that they're going to be accelerating the release of 2.0.0.5 in order to get this patched ASAP.

What ticks me off is that they ANNOUNCE the bug in PUBLIC, thus making hackers aware of the exploit and try to use ASAP before the new patch is issued.

Another thing is that they are being FORCED to accelerate the release of the patch rather making sure that the patch is BUG FREE, if all possible. I rather that the developers do a right job on a patch rather than a hastily done patch that could later result more problems.

/off soap box

yizuman said,
What ticks me off is that they ANNOUNCE the bug in PUBLIC, thus making hackers aware of the exploit and try to use ASAP before the new patch is issued.

So you'd rather that the hackers already know about this and tell each other about it, but that the general public has no idea that they're in danger?