Mozilla Patches Firefox, Slams Door on IE Zero-Day Bug

By Gregg Keizer
Wed, July 18, 2007
. What's this?

Computerworld — Mozilla late Tuesday patched Firefox to fix nine bugs, including the controversial critical vulnerability that involved both the open-source Web browser and Microsoft's Internet Explorer (IE).

Firefox 2.0.0.5, which can be downloaded in versions for Windows, Mac OS X and Linux in 42 localized editions, fixes the "firefoxurl://" vulnerability that can be exploited only on systems where Firefox is installed but IE is the primary browser. For the past week, researchers have quarreled over whether Mozilla or Microsoft was responsible for the flaw and which company should patch its software.

In the security advisory, one of eight issued Tuesday that outlined the nine bugs, Mozilla again refrained from expressly putting the onus on Microsoft. But as before, it came close.

"Other Windows applications can be called in this way and also manipulated to execute malicious code," read the advisory. "This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."

And more blunt was the single suggested workaround. "Mozilla highly recommends using Firefox to browse the Web to prevent attackers from exploiting this problem in Internet Explorer," it said.

One of the researchers who last week pinned blame on Microsoft had not changed his tune as of Tuesday. "This [Firefox patch] does not actually fix the flaw in Internet Explorer, but simply patches one of the myriads of attack vectors," said Thor Larholm, a Danish researcher who publicized the exploit. "I can definitely understand the initial reaction from Microsoft. "Most of the emphasis in the public vulnerability reports were dealing with Firefox, the '-chrome' command-line argument and how to properly escape the exploit code.

"However, I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments, [including] AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player), just to name a few," Larholm wrote.

Microsoft's position last week was that IE is not buggy and so wouldn't be patched. "Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product," a spokesman said last Thursday.

Other patches put into place by 2.0.0.5 included multiple memory corruption bugs. "With enough effort...some of these could be exploited to run arbitrary code," a cross-site scripting vulnerability and a flaw that could give attackers access to the browser's cache.

Mozilla picked up the pace to push Firefox 2.0.0.5 out to users earlier than scheduled. On Monday, Mozilla developers pegged the update as a "fire drill release" because of the critical nature of the firefoxurl:// bug. At the time, July 19 was the target for 2.0.0.5's release. "But we might be able to accelerate the release," notes from a weekly status meeting read.

This is the first update to Firefox since support for the older 1.5.x line was discontinued. Earlier this month, users of that version were offered an automatic update to Firefox 2.0.0.4.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
Mobile Middleware Strategies
Learn why a mobile development platform is critical to be able to support today's complex enterprise mobility strategies. Learn what to look for in a mobile development platform and how apply these tools whether you're developing a dedicated app for one device or multiple apps running across multiple devices.
Native & HTML5 Mobile Apps: Not an either or, but a where and when
Learn how developers are using HTML5 and native development methods to build mobile apps. Get practical insights on how these tools are being used, what's driving their usage, and how to choose the best development approach for your business.
The Evolution of Enterprise Mobile App Development
Driven by explosive growth in smartphone and tablet sales, enterprise mobility has become an essential part of business. Organizations across industries are developing internal- and external-facing mobile applications that drive revenue, build brand loyalty, strengthen communication with partners, and enhance employee productivity. Learn how keeping pace in this market requires an agile, flexible, and iterative approach to application development.
AlertBoot Case Study
When AlertBoot switched to the cloud it needed a load balancing solution that would support its migration and prevent as much downtime as possible. The company chose Riverbed® Stingray™ Traffic Manager to use while transitioning its infrastructure to an entirely virtualized environment. The move was a complete success, at one-third the cost of comparable hardware solutions.
Gilt Groupe Case Study
With over 5,000 requests per second during peak periods, online retailer Gilt Groupe could lose a large percentage of its daily profits in just 10 minutes of downtime. After choosing the Riverbed® Stingray™ Traffic Manager as its load balancing solution, visits to the site have increased thanks to improved customer satisfaction. Real-time traffic views and tracking also make it easy to strategize and plan for the future.
See Tickets Case Study
With 85 percent of its ticket sales made online, See Tickets needed a robust, secure, highly accessible website. The company chose the Riverbed® Stingray™ Traffic Manager to ensure that its site was always online and fast, even during extreme peaks in traffic. Now the company's valued customers receive optimal online service.
Webcasts »
Leverage automation today to reduce IT complexity
Date: Tuesday, June 5, 2012, 2:00 PM EDT

Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific needs or traditional under investment, the net effect is usually the same: high cost and lower productivity. Enabling business-to-business (B2B) integration using point-to-point EDI translators is usually time intensive and cost prohibitive.

Join IDC's Maureen Fleming and SAP for an insightful Webcast on the different approaches companies are taking to B2B integration and how you can ask the right questions to reassess you B2B approach.
Delivery Management -- Extending Lifecycle Management
Date: Wednesday, June 20, 2012, 1:00 PM EDT

Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs, project delays, lower quality, and time-to-market delays. Providing a collaborative platform where the whole organization can prioritize, share and manage deliveries with more transparency can help the organizations make more informed decisions at all levels, and greatly improve communications and traceability between teams. Hear from application lifecycle management experts how to increase delivery efficiency and effectiveness with a new approach to Delivery Management.
Operational Analytics - Changing the Competitive Dynamics of the Business
Date/Time: June 5, 2012, 11:00 a.m., EDT, 4:00 p.m. BST / 3:00 p.m. UTC

Please join us for this webcast, as Dr. Barry Devlin, Founder and Principal, 9sight Consulting, describes what operational analytics can do for your business and reviews an architectural approach that will enable you to make it a reality.
BMC Control-M - Single Point of Control Demo
With BMC Control-M, you schedule and manage everything - down to the very last platform and application - from one simple interface. It's the foundation of workload automation, really - the ability to run application and business processes as one. Siloed job schedulers can't do it. BMC Control-M can.
Sun Chemical Customer Success Story
Sun Chemical, the world's largest producer of printing inks and pigments, quadrupled its complex batch environment with zero extra headcount using BMC Control-M's Automated File Transfer features.
Spear Phishing and the Modern Cyber Attack
Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear phishing - the most common technique used in today's advanced attacks. Learn how spear phishing works and three recommendations for IT to protect against modern threats.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Mobile Middleware Strategies

Native & HTML5 Mobile Apps: Not an either or, but a where and when

The Evolution of Enterprise Mobile App Development

AlertBoot Case Study

Gilt Groupe Case Study

See Tickets Case Study

STA Travel Case Study

Socialbomb Case Study

Triboo Case Study

PCI DSS Compliance with Stingray Application Firewall Module

PCI DSS Compliance with Stingray Application Firewall Module

Traffic Valuation and Prioritization with Riverbed Stingray Traffic Manager

Virtualization: Benefits, Challenges, and Solutions

Dynamic Video Collaboration in SharePoint

HP Reference Configuration for Premium OLTP

Accelerate Online Transaction Processing (OLTP) database workloads

The CFO Guide to Budgeting Software

Transition from Spreadsheet Budgets to Packaged Application

Better Cash Flow Management: Recession-Proof Your Business

Deliver Cost-Effective Business Continuity with Extreme Capacity
Sponsored Links

High performance. Delivered. Click to see Accenture's client successes

Complimentary Gartner Report on BYOD: Media Tablets & Beyond. View Now

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Click to see how Accenture has delivered high performance to clients

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Resource Center
buy a link »
Ads by TechWords