Mozilla's chief security guru on Monday issued a mea culpa for her company's handing of a URL protocol handing flaw that was believed to only be exploitable from Internet Explorer (IE).
In a post on Mozilla’s Security Blog, Window Snyder, Mozilla chief security something-or-other, said that the issue exists in Firefox as well. Her announcement came less than a week after Snyder chided Microsoft for not racing to patch the flaw in IE.
"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application," said Snyder. "We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 126.96.36.199. We believe that defense in depth is the best way to protect people, so we’re investigating it now."
The flaw was believed to be exploitable when a user visits a malicious website in IE and clicks on a malicious link, causing IE to invoke another program – Firefox and Thunderbird, for instance – and passing the link to that application.
On July 17, when Mozilla released eight patches, Snyder said that the flaw was an issue in IE and urged Microsoft to patch the application.
"This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to," she said last week.
A Microsoft spokesperson told SCMagazine.com today that an investigation has determined that this is not a flaw in a Microsoft product.
Click here to contact Online Editor Frank Washkuch Jr.