An input validation error in
Mozilla Firefox can be exploited on Microsoft Windows computers
that contain the latest version of Internet Explorer. Once
successfully exploited an attacker can gain access to the
machine.
The flaw was discovered by independent security researcher
Billy Rios, who said in an update on his blog that the
vulnerability is delivered through the Firefox browser.
"You simply have to have IE7 installed somewhere on your system
for this to work (which is basically most WindowsXP Sp2 systems),"
he said.
Danish vulnerability clearinghouse Secunia rated the flaw
"highly critical" in its
26201 advisory Thursday because attackers could
exploit it remotely. Secunia said users must visit a malicious
website in order for the flaw to be exploited successfully.
"The vulnerability is caused due to an input validation error
within the handling of system default URIs with registered URI
handlers (e.g. "mailto", "news", "nntp", "snews", "telnet," Secunia
said in its advisory.
Secunia said the vulnerability is confirmed on a fully patched
Windows XP SP2 and Windows Server 2003 SP2 system using Firefox
version 2.0.0.5 and Netscape Navigator version 9.0b2.
The United States Computer Emergency Readiness Team (US-CERT)
also issued a US-CERT 783400 advisory, warning that Mozilla
Firefox fails to properly filter input when sending certain URIs to
registered protocol handlers.
"This vulnerability may allow a remote, authenticated attacker
to execute commands on a vulnerable system," the agency said in its
advisory.