Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft's Internet Explorer.
The update, Firefox 2.0.0.6, also patches a privilege escalation vulnerability.
Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.
Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with Internet Explorer 7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.
The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways, including implicit "about:blank" document creation or use of JavaScript URLs in a new window.
Sentry Posts Blog
Guarding the network
What you need to know — and what you and your peers have to tell us — about security management in our new community group blog
Although the patches released on Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release 2.0.0.6. To make mail-related links always prompt in Firefox before launching external programs, do the following:
- Enter "about:config" in the location bar.
- Enter "warn-external" in the filter: box.
- Double click to set the mailto, news, nntp, and snews lines to "true".
