Patch/Configuration Management, Vulnerability Management

Mozilla says URL protocol handling vulnerability is a Firefox issue

Mozilla's chief security guru on Monday issued a mea culpa for her company's handing of a URL protocol handing flaw that was believed to only be exploitable from Internet Explorer (IE).

In a post on Mozilla’s Security Blog, Window Snyder, Mozilla chief security something-or-other, said that the issue exists in Firefox as well. Her announcement came less than a week after Snyder chided Microsoft for not racing to patch the flaw in IE.

"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application," said Snyder. "We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now."

The flaw was believed to be exploitable when a user visits a malicious website in IE and clicks on a malicious link, causing IE to invoke another program – Firefox and Thunderbird, for instance – and passing the link to that application.

On July 17, when Mozilla released eight patches, Snyder said that the flaw was an issue in IE and urged Microsoft to patch the application.

"This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to," she said last week.

A Microsoft spokesperson told SCMagazine.com today that an investigation has determined that this is not a flaw in a Microsoft product.

Click here to contact Online Editor Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.