Firefox version 2.0.0.6 patches two vulnerabilities

Update patches the Mozilla side of a flaw shared with Microsoft's Internet Explorer. Plus, it fixes a privilege escalation vulnerability.

Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft Internet Explorer.

The update, Firefox 2.0.0.6, also patches a privilege escalation vulnerability.

Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.

Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.

The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways including implicit "about:blank" document creation or use of JavaScript URLs in a new window.

Although the patches released Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release 2.0.0.6. To make mail-related links always prompt in Firefox before launching external programs, do the following:

  • Enter about:config in the location bar
  • Enter "warn-external" in the Filter: box
  • Double-click to set the mailto, news, nntp, and snews lines to "true."
Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Apple to introduce next iPhone Sept. 9

A ton of new iPhone 6S details have hit; new strange data comes from the Ashley Madison leak; and Instagram says goodbye to the square photograph (sort of).

by Jeff Bakalar