IE can trigger Firefox to run "dangerous" code

Posted on 12 Jul 2007 at 11:11

A security researcher has discovered an unusual vulnerability in Internet Explorer that enables it to pass a URL to rival browser Firefox.

When installed on a PC, Firefox registers a protocol handler to deal with "firefoxurl://" URLs. But Thor Larholm found that if IE is then used to visit a webpage that tries to call a firefoxurl, IE will launch Firefox with no further prompting, passing it the URL.

This URL could be used by an attacker to make Firefox execute dangerous JavaScript code.

Firefox's developer, Mozilla, notes there is some dispute over where the fault lies: "is it IE for passing untrusted data to another application or Firefox for not validating input properly?".

Security firms are also split. SecurityFocus puts the blame on IE, Secunia fingers Firefox.

Whoever is responsible, Mozilla will include a fix in the forthcoming Firefox 2.0.0.5 update. In the meantime, Jesper Johansson has posted instructions for removing the firefoxurl handler.

As well as patching Firefox 2, Mozilla is also progressing with version 3, codenamed Gran Paradiso. The latest alpha 7 build integrates what was previously a third-party add-on aimed at better identifying fraudulent and phishing websites.

The feature dims out all the information in the URL, save the domain sub-domain, in order to provide a clearer identification of the precise origins of a website.

Of course its effectiveness relies on users actually taking notice of the content of the address bar. One, albeit controversial study, has suggested that this rarely occurs.

The first Firefox 3 beta had been scheduled for release this month, but the revised roadmap indicates that the earliest date is 18 September.

Author: Simon Aughton