CNET también está disponible en español.

Ir a español

Don't show this again

Kamala Harris is Biden’s VP pick 2020 Perseid meteor shower Qualcomm wins in FTC lawsuit appeal Weekly $400 unemployment benefit Mozilla cutting 250 jobs Google Maps returns to the Apple Watch

Firefox version patches two vulnerabilities

Update patches the Mozilla side of a flaw shared with Microsoft's Internet Explorer. Plus, it fixes a privilege escalation vulnerability.

Mozilla released on Tuesday an update to Firefox 2 that patches the Mozilla side of a flaw shared with Microsoft Internet Explorer.

The update, Firefox, also patches a privilege escalation vulnerability.

Current users of Firefox 2 will receive an update notice. Others can download it from the Mozilla site.

Researcher Jesper Johansson noted that Firefox did not percent-encode spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs. That means the receiving program could interpret a single URI as multiple arguments. For example, when running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 won't necessarily launch the protocol handler registered for that scheme but will instead launch a file-handling program based on the file extension at the end of the URI. This appears to allow execution of any program installed at a known location and might be enough to exploit a system.

The second issue deals with a vulnerability that could enable privilege escalation attacks. The vulnerability involves add-ons that create "about:blank" windows. An attack could populate them in certain ways including implicit "about:blank" document creation or use of JavaScript URLs in a new window.

Although the patches released Tuesday should eliminate the known vulnerabilities, Mozilla also recommends that the following workaround be added to release To make mail-related links always prompt in Firefox before launching external programs, do the following:

  • Enter about:config in the location bar
  • Enter "warn-external" in the Filter: box
  • Double-click to set the mailto, news, nntp, and snews lines to "true."