Secunia blamed Microsoft this week for a URI handling flaw that can be exploited when a user browses with Firefox but has Internet Explorer (IE) 7 installed.
Reports of the URI handling flaw, which Mozilla said Wednesday it is investigating and working to patch, follow a back-and-forth earlier this month between Mozilla and Microsoft over who was to blame for a URL handling flaw.
The flaw is cause by an input validation error within the handling of system default URIs with registered URI handlers, according to Secunia.
A Microsoft spokesperson told SCMagazine.com today that the Redmond, Wash.-based company is investigating the reports but is unaware of any attacks trying to take advantage of the flaw.
Microsoft will take appropriate action after the investigation is complete, said the spokesperson.
For successful exploitation, a PC user must have IE7 installed, according to Secunia, but the user must be browsing with Firefox.
Secunia credited researchers Billy (BK) Rios and Nate Mcfeters with disclosing the flaw, and referenced information from Jesper Johansson. Mozilla on Wednesday also credited Rios and Mcfeters with the disclosure.
Rios today stressed the importance of URI handling flaws to SCMagazine.com, saying both parties should take measures to protect users.
"I think the ongoing ‘blame game’ that we see is just an indication of some of the subtle complexities we see when dealing with URI handling," he said via email. "In the end, I think there are measures both the browser and the external application must take to mitigate these issues…it’s the only way it’s going to be fixed. Otherwise we’ll be seeing these types of flaws for a really, really long time."
Firefox can be sued as an attack vector for flaws in other applications because it does not filter data passed to certain URI protocol handlers, according to US-CERT’s advisory.
Click here to email Online Editor Frank Washkuch.