Content

Another Firefox URI handler bug revealed; researcher says more on the way

Researchers Billy (BK) Rios and Nate Mcfeeters unveiled another URI handler vulnerability for Mozilla's web browser on Tuesday, days after revealing a Firefox flaw dependent on use of Internet Explorer (IE).

The latest flaw affects users browsing with IE7, said Rios during a post on his blog, warning that other browsers have similar issues.

"It’s time to take a good look at the registered URI handlers and how browsers interact with those registered URL handlers," he said. "Developers who intend to (or have already) registered URIs for their applications must understand that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URL handling mechanisms and audit the functionality called by those URIs."

On Monday, Mozilla Chief Something-or-Other Window Snyder said on the Mozilla Security Blog that a protocol handing issue exists in Firefox as well as IE. Mozilla had previously blamed the problem on Microsoft, urging the Redmond, Wash.-based company to release a fix for the problem.

The flaw, which can be exploited when IE refers a malicious link to Firefox, was patched by Mozilla on July 17 when Mozilla released Firefox 2.0.0.5.

Snyder said today on Mozilla’s security blog that the company is investigating the issue. She said the flaw’s impact "appears to be unknown at this time," and advised caution when browsing unknown sites until the Mountain View, Calif.-based company releases a patch.

Rios revealed a list of 13 flaws that he and Mcfeeters have discovered over the past month, telling SCMagazine.com today that "these URI handling flaws are really rampant."

"You’ll see that it affects a wide range of products including Internet Explorer, Firefox, Mozilla, Netscape Navigator and Trillian. We still have a few vulnerabilities that we have discovered, but haven’t disclosed yet," he said. "As security researchers begin to understand the dangers of URI handlers, we’ll start to see even more of these types of flaws."

Click here to email Online Editor Frank Washkuch Jr.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.