Researchers Billy (BK) Rios and Nate Mcfeeters unveiled another URI handler vulnerability for Mozilla's web browser on Tuesday, days after revealing a Firefox flaw dependent on use of Internet Explorer (IE).
The latest flaw affects users browsing with IE7, said Rios during a post on his blog, warning that other browsers have similar issues.
"It’s time to take a good look at the registered URI handlers and how browsers interact with those registered URL handlers," he said. "Developers who intend to (or have already) registered URIs for their applications must understand that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URL handling mechanisms and audit the functionality called by those URIs."
On Monday, Mozilla Chief Something-or-Other Window Snyder said on the Mozilla Security Blog that a protocol handing issue exists in Firefox as well as IE. Mozilla had previously blamed the problem on Microsoft, urging the Redmond, Wash.-based company to release a fix for the problem.
The flaw, which can be exploited when IE refers a malicious link to Firefox, was patched by Mozilla on July 17 when Mozilla released Firefox 188.8.131.52.
Snyder said today on Mozilla’s security blog that the company is investigating the issue. She said the flaw’s impact "appears to be unknown at this time," and advised caution when browsing unknown sites until the Mountain View, Calif.-based company releases a patch.
Rios revealed a list of 13 flaws that he and Mcfeeters have discovered over the past month, telling SCMagazine.com today that "these URI handling flaws are really rampant."
"You’ll see that it affects a wide range of products including Internet Explorer, Firefox, Mozilla, Netscape Navigator and Trillian. We still have a few vulnerabilities that we have discovered, but haven’t disclosed yet," he said. "As security researchers begin to understand the dangers of URI handlers, we’ll start to see even more of these types of flaws."
Click here to email Online Editor Frank Washkuch Jr.