On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application receiving the bad data.
Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.
We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now.
We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process.
For more information: https://bugzilla.mozilla.org/show_bug.cgi?id=389106
Ping from University Update - Firefox - Permanent Link to Related Security Issue in URL Protocol Handling on Windows on
Ping from » Mozilla caught napping on URL protocol handling flaw | Ryan Naraine’s Zero Day | ZDNet.com on
Aaron Margosis wrote on
Ping from Window Snyder fesses up - Firefox also passes "bad data" - Spyware Sucks on
Ping from XoftSpy SE Antispyware » Blog Archive » Window Snyder fesses up - Firefox also passes “bad data” on
Ping from Firefox could also be used as the entry point | GNUCITIZEN on
Giorgio Maone wrote on
Ping from IE’s unescaped URLs vulnerability also present in Firefox : Mozilla Links on
Ping from YouTube Elevates Top Users to Partners - BlogStuffPro.com on
Ping from IE’s unescaped URLs vulnerability also present in Firefox · Get Latest Mozilla Firefox Browsers on
Bill Feagin wrote on
Ping from Mozilla: Firefox is flawed just like IE on
Ping from Mozilla Admits Firefox Has Same Flaw as IE | CTF Blog on
Ping from Techzi » Blog Archive » Mozilla: Firefox is flawed just like IE on
Ping from Be:Fox » La faille critique d’exploitation du protocole URL n’est pas totalement corrigée on
Blackstorm wrote on
Ping from Firefox: Nuove Falle, ed Imbarazzo « Simply Security on
Ping from Attack of the URL Vulnerabilities | GNUCITIZEN on
Ping from It takes courage to admit your product is insecure | Security Insider on
Ping from Messy URL protocol-handling drama finally winding down — Security Bytes on
Ping from [SSD] Security & Development Blog » Insisto: grave riesgo amenaza a usuarios de Firefox en Windows XP on
asdf wrote on
Ping from Mozilla Security Blog » Blog Archives » Firefox 2.0.0.6 now available on
Ping from Firefox 2.0.0.6 now available · Get Latest Mozilla Firefox Browsers on
Ping from Mozilla rushes out second Firefox patch this month on
Ping from Mozilla Rushes Out Another Firefox Patch « TechTitans™ on
Ping from Firefox 2.0.0.6 - Yes, it’s Another Update - CyberNet News on
Ping from Mozilla Firefox 2.0.0.6 Released · Get Latest Mozilla Firefox Browsers on
Ping from Mozilla Firefox v2.0.0.6 is available on
Ping from Mozilla Firefox v2.0.0.6 is available on
Ping from Mozilla Firefox 2.0.0.6 Released on
Ping from Official Blog for Goviphosting.com » Mozilla rushes out second Firefox patch this month on
zend wrote on
Cleocin wrote on
Andrea wrote on
Day Spring Center wrote on