Asa Dotzler: Firefox and more

Via Window Snyder, at the Official Mozilla Security Blog.

Firefox 2.0.0.5 is now available and there is a fix for the URL protocol handling issue described here. We warned that other Windows applications may be vulnerable to this Internet Explorer issue, and on Sunday Nate Mcfeters, Billy Rios, and Raghav Dube posted a proof of concept that demonstrates the same attack through Internet Explorer to execute code in Trillian. Additionally, Thor Larholm says "I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few."

This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to. Mark Griesi is quoted in Infoworld saying "We don't feel that there's an issue in IE, and therefore, there's nothing to be fixed."

Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer.

I think it's worth repeating that if you're an IE user, you are still not safe. IE can still be used to exploit your machine through other programs. It's also worth noting that if you are a Firefox user, you were never at risk from this URL protocol issue in the first place because Firefox has always cleaned up URLs before handing them off to other programs -- a protection for users that Microsoft is apparently unwilling to consider.