Mozilla slams Microsoft for ignoring critical vulnerability
Mozilla has distributed eight patches - three of them deemed "critical" - in its latest Firefox release, as the company's chief security official chided Microsoft for failing to protect users from an Internet Explorer bug.
Among Mozilla's Tuesday fixes is a patch for a flaw that allows remote code execution when a user launches Firefox from Internet Explorer (IE).
Window Snyder, chief security official at Mozilla, said on the company’s security blog today that Microsoft should patch the issue. She also urged PC users to browse with Firefox.
"This patch prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to," she said.
For exploitation, IE must call registered URL protocols without escaping quotes and pass unexpected and potentially dangerous data to the application that registers the protocol, according to Mozilla.
The "critical" vulnerability can be exploited when a user visits a malicious website in IE and clicks on a specially prepared link causing IE to invoke another program – in this case Firefox and Thunderbird – and pass the link to that application, according to Mozilla.
Mozilla noted that other Windows applications can be accessed and manipulated through this process.
A Microsoft spokesperson told SCMagazine.com today that the company has thoroughly investigated the reports and found that there is no such vulnerability in IE.
Researcher Billy Rios, said that he considers the issue a problem for both Microsoft and Mozilla.
"A few people have asked me whether I consider this an IE flaw or a Firefox flaw and the answer is both," he said. "Problems with URI handlers will not be fixed until both the browser (in this case, IE) and the registered application (in this case, Firefox) change how URI handlers are used."
The Califonia-based software provider also released a "critical" patch for a flaw that has allowed "crashes with evidence of memory corruption." Mozilla researchers said they presumed the flaw could be used to run arbitrary code on infected machines.
The third critical patch in Firefox is a fix for a privilege escalation flaw that can allow an attacker to use an element outside of a document to call an event handler.
Mozilla also patched "high" danger flaws, one allowing unauthorized access to wyciwyg:// documents and a cross-site scripting error that takes advantage of addEventLstener or setTimeout, according to Mozilla.
A "moderate" flaw in XPCNativeWrapper pollution and "low" danger flaws in file type confusion due to "%00" in a name and frame spoofing while a window is loading were also patched.