Mozilla patches Windows hole exposed by Firefox
On the 10th July a patch was checked in for bug 384384 which is a bug that needs both Firefox and IE to be exploited. The command injection vulnerability affected users of Internet Explorer who browsed to a malicious page assuming that they had Firefox installed but not running. Opinions vary as to whether this was a Windows vulnerability or a Firefox one. In my opinion both had some degree of responsibility for this.
The bug only appears when using IE and therefore it doesn’t affect users on other platforms such as Linux or Mac. The bug in the Firefox code was caused by Windows shell integration (making it possible for other applications to launch Firefox if it is the default browser). Basically IE should have validated the URL before passing it to another application, any quotation marks and other special characters in the URL should have been escaped. Although Firefox was used as an example, it’s possible that other applications will be vulnerable to the same issue, the best way to prevent this is for Microsoft to fix the underlying issue. Firefox does not escape blame though, it should not run potentially dangerous commands from untrusted sources.
Although Microsoft is claiming it is not a bug with their URL handling, the Mozilla patch was produced and checked in to the Mozilla codebase the same day as the bug was discovered. It is currently available in nightly builds for testing and will be made available to the wider public in Firefox 2.0.0.5. Hopefully Microsoft will eventually fix their side of the issue too, otherwise other applications may still be vulnerable to the same issue as well as future applications.