DespiteMozilla's recent Firefox security
update, two researchers warn that there's
another way attackers could exploit the popular browser for
malicious purposes.
 | | | | | The underlying file type handling issues
which are truly the heart of the issue have not been
addressed.
Billy Rios,
independent security
researcher |
| | | | | |
| |
|
Researchers
Billy Rios and Nate McFeters, who attracted recent attention
with their warnings about the multi-browser
Uniform Resource Identifier (URI) protocol
handling flaw, claim to have discovered
a new way for attackers to exploit Firefox
to push malware onto targeted machines via the users'
browsers.
"Nate and I have discovered a way to exploit a common handler
with a single unexpected URI," Rios wrote in his blog. "So, it
seems that although the conditions which allowed for remote command
execution in Firefox 2.0.0.5 have been addressed with a security
patch, the underlying file type handling issues which are truly the
heart of the issue have not been addressed."
The researchers said they've contacted Mozilla and that "they
are working on it." For now, Rios said, he and McFeters will
refrain from giving out the exact details of how this latest flaw
is executed.
The Mozilla Foundation released Firefox version 2.0.0.6 in late
July to address the URI flaw. At the time, Rios, said an input
validation error could be delivered through the Firefox browser,
enabling full access to the machine. "You simply have to have IE7
installed somewhere on your system for this to work (which is
basically most WindowsXP Sp2 systems)," he wrote in his blog at the
time.
The flaw disclosure, made around the time researchers were
descending on Las Vegas for the
Black Hat USA 2007 Briefings, contributed to
a tough week for Mozilla. During the Black Hat proceedings, Mike
Shaver, one of the founders of the Mozilla project and currently
the director of ecosystem development, handed Robert Hansen [aka
Rsnake] a business card with the words "Ten [expletive deleted]
Days" on it, after reportedly telling Hansen Mozilla could fix
any flaw in that amount of time.
Hansen posted a photo of the card on his blog and wrote an
account of the conversation, in which he said, "I'm not going to
comment on my personal feelings on this matter except to say that
I'd love to see Mozilla back up their promise."
Mozilla security chief
Window Snyder then took to the Mozilla blog to
deny the 10-day claim. "This is not our policy. We do not
think security is a game, nor do we issue challenges or
ultimatums," she wrote. "We are proud of our track record of
quickly releasing critical security patches, often in days. We
work hard to ship fixes as fast as possible because it keeps
people safe. We hope these comments do not overshadow the
tremendous efforts of the Mozilla community to keep the Internet
secure."
The controversy also erupted as Snyder was trying to play up
significant
security upgrades in the next major release of
Firefox designed to protect users from both attackers and
from themselves.
She said those improvements will include new anti-phishing and
anti-malware capabilities designed to prevent users from
endangering themselves by visiting malicious sites.
Executive Editor Dennis Fisher contributed to this
report.