Firefox version patches two vulnerabilities

Update patches the Mozilla side of a flaw shared with Microsoft's Internet Explorer. Plus, it fixes a privilege escalation vulnerability.

Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft Internet Explorer .

The update, Firefox, also patches a privilege escalation vulnerability.

Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.

Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.

The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways including implicit "about:blank" document creation or use of JavaScript URLs in a new window.

Although the patches released Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release To make mail-related links always prompt in Firefox before launching external programs, do the following:

  • Enter about:config in the location bar
  • Enter "warn-external" in the Filter: box
  • Double-click to set the mailto, news, nntp, and snews lines to "true."
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.


    Discuss Firefox version patches two vulnerabilities

    Conversation powered by Livefyre

    This week on CNET News
    Hot Products
    Trending on CNET

    CNET Forums

    Looking for tech help?

    Whether you’re looking for dependable tech advice or offering helpful tricks, join the conversation in our forums.