Firefox version patches two vulnerabilities

Update patches the Mozilla side of a flaw shared with Microsoft's Internet Explorer. Plus, it fixes a privilege escalation vulnerability.

Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft Internet Explorer.

The update, Firefox, also patches a privilege escalation vulnerability.

Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.

Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.

The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways including implicit "about:blank" document creation or use of JavaScript URLs in a new window.

Although the patches released Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release To make mail-related links always prompt in Firefox before launching external programs, do the following:

  • Enter about:config in the location bar
  • Enter "warn-external" in the Filter: box
  • Double-click to set the mailto, news, nntp, and snews lines to "true."
Featured Video

Your Black Friday shopping survival guide

Ready to battle for deals? Bridget Carey helps you plan your strategy with tips on smartphone apps, where to find the best deals, and when to avoid the stores.

by Bridget Carey