In a public mea culpa, Mozilla Corp.'s chief security officer acknowledged today that Firefox includes the same flaw that the company called a "critical vulnerability" in Internet Explorer during a two-week ruckus over responsibility for a Windows zero-day bug.
"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point," said Window Snyder of Mozilla. "While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application. "We thought this was just a problem with IE," Synder continued. "It turns out, it is a problem with Firefox as well."
The argument over responsibility for a flaw that involved both IE and Firefox began two weeks ago, when Danish researcher Thor Larholm argued that IE contained an input validation bug that lets it pass potentially malicious URLs to other applications. Larholm called out Firefox's "firefoxurl://" protocol as one that IE mishandled. He staked out the position that IE was to blame, while other security experts said it was Firefox's fault.
View: Full Story @ Computer World