Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft Internet Explorer.
The update, Firefox 2.0.0.6, also patches a privilege escalation vulnerability.
Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.
Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.
The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways including implicit "about:blank" document creation or use of JavaScript URLs in a new window.
Although the patches released Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release 2.0.0.6. To make mail-related links always prompt in Firefox before launching external programs, do the following:
- Enter about:config in the location bar
- Enter "warn-external" in the Filter: box
- Double-click to set the mailto, news, nntp, and snews lines to "true."