World Backup Day Deals Best Cloud Storage Options Apple AR/VR Headset Uncertainty Samsung Galaxy A54 Preorders iOS 16.4: What's New 10 Best Foods for PCOS 25 Easter Basket Ideas COVID Reinfection: What to Know
Want CNET to notify you of price drops and the latest stories?
No, thank you

Firefox version patches two vulnerabilities

Update patches the Mozilla side of a flaw shared with Microsoft's Internet Explorer. Plus, it fixes a privilege escalation vulnerability.

Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft Internet Explorer.

The update, Firefox, also patches a privilege escalation vulnerability.

Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.

Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.

The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways including implicit "about:blank" document creation or use of JavaScript URLs in a new window.

Although the patches released Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release To make mail-related links always prompt in Firefox before launching external programs, do the following:

  • Enter about:config in the location bar
  • Enter "warn-external" in the Filter: box
  • Double-click to set the mailto, news, nntp, and snews lines to "true."