The latest browser war dustup pits Mozilla's Firefox against Microsoft's Internet Explorer, but this time the tiff isn't about market share. It appears that IE may undermine Firefox's security when a Net surfer clicks on malicious page links using the IE browser and Firefox also happens to be installed on the machine.
In an interesting twist on browser-based security issues, security researchers said they have found a flaw in which Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) can cause Mozilla's Firefox to execute remote malicious code.
Security firm Secunia released an advisory Tuesday, ranking the flaw as highly critical. The vulnerability is confirmed on Firefox 2.0.0.4 on a fully patched version of Windows XP SP2.
Basically, the end user must use IE to navigate to a malicious Web page and click on a link. The problem only occurs when the user also has Firefox installed -- it does nothing if Firefox isn't installed.
The link, according to Mozilla, can cause IE to invoke another Windows program -- in this case, Firefox -- via the command line and pass that program the URL from the malicious Web page. This can cause data to be passed from the malicious Web page to the second Windows program, which could allow remote code execution in Firefox, the browser's maker notes on its Mozilla Security Blog.
It may be possible to use the same method in IE to invoke action with other Windows programs, but none have yet been reported.
Mozilla and Microsoft don't have an immediate fix, but Mozilla said it will patch the problem on its end in the upcoming 2.0.0.5 release, which will prevent IE from sending Firefox malicious data. Of course, as Internet Explorer is a Microsoft program, Mozilla won't be able to fix the underlying Windows IE catalyst.
"It is important to note that if you are using Firefox to browse the Web, you are not vulnerable to this attack," Mozilla notes on its security blog, adding that the company hasn't seen any evidence of hackers actually exploiting this issue.
Browsing with Firefox solves this particular problem, but Secunia recommends a solution of simply not browsing untrusted sites with IE.
"The underlying issue is the number of Web sites that are hosting malicious code," Ronald O'Brien, a senior security analyst for Sophos, told LinuxInsider. "We know there are tens of thousands of Web sites that have been created that lack basic security aspects to them, and as such are readily hacked for the purpose of inserting malicous code onto them."
The likelihood that a computer can become infected sufficiently that it can be controlled remotely has increased dramatically, he noted. What O'Brien finds surprising -- and perhaps this is why there isn't a known exploit out and about in the wild yet -- is that simply getting a user to browse and click on a malicious link is usually enough to generate positive (malicious) results.
Print Version
E-Mail Article
Reprints
More by Chris Maxcer
Next Article in Security
|
Tech Giants Join Forces to Secure Government Data July 10, 2007 
Microsoft, EMC and Cisco are partnering to facilitate the sharing and protection of government information. The companies have formed the Secure Information Sharing Architecture Alliance -- which also includes Titus Labs, Liquid Machines and Swan Island Networks.
|
Related Stories
|
Mozilla Exec Burns Apple's Pie Chart June 19, 2007 
Apple's launch of Safari on Windows has already managed to irk a competitor. However, Mozilla's John Lilly isn't upset that there's a new browser in town; what bugs him is how that new browser was introduced. One of the pie charts Steve Jobs used to illustrate browser market share showed only Microsoft's Internet Explorer and Safari, with no mention of Firefox or any other browser.
|
Related News Alerts
More by Chris Maxcer
|
The iPad's Cruel Teaser March 09, 2010 
The iPad ad that debuted on Sunday was remarkable in how many functions it managed to cram into just 30 seconds. Document creation, email, e-books, media viewing -- all that and more was demoed using just two hands and a hip soundtrack. However, the ad left quite a few important questions about the iPad unanswered.
|
The iPad Catalyst Will Light a Lot of Fires March 02, 2010
I think we're going to get a lot of fantastic content options for mobile devices in 2010, even if you don't pony up for an iPad. While the iPad will likely be a raging success, it'll also help generate a market for alternatives. The question is, can we credit -- or blame -- the iPad for generating all this mobile action? Maybe not the iPad alone, but it's certainly the latest catalyst.
|
With Smut Ban, App Store Exposes a Jiggly Set of Rules February 23, 2010 
Apple's stance on risque iPhone and iPod touch apps is understandable, but the whole incident does underscore the App Store's frustratingly fickle nature. Apple should either draw up a precise, crystal-clear set of guidelines for app developers or just admit it's completely subjective -- "If we like it, it's in; if we don't, it's rejected." Right now, its policy seems to be somewhere in between.
|
Get Business and Technology News Alerts
Most Popular | Spotlight Features | Exclusives
This Week on ECT News Network | Podcasts
WiFi Hotspot Locator 
Inside TechNewsWorld
Headline Feeds
Talkback: 
