IE’s unescaped URLs vulnerability also present in Firefox

Mozilla Chief Security Officer, Window Snyder, has announced that Firefox could be used as an entry point to perform certain kinds of computer attacks in the same way Internet Explorer does, as discovered a couple of weeks ago.

The attack could happen when a user accesses a malicious web site with a specially crafted URL (web address) that requires another application to handle it like irc://, mms://. firefoxurl:// is a pseudo-protocol used by Firefox for some internal processing and could also be used to perform this kind of attacks. Last week’s 2.0.0.5 update fixed this making Firefox check the passed URL before actually accessing it.

However, the source of the problem is that the passed URL is not escaped, this is special characters encoded to regular ones, by Internet Explorer in the first place. Further research proved Mozilla that Firefox doesn’t escape all URLs sent to third party applications so it could be used as an entry point as well.

Unlike Microsoft, Mozilla has admitted that it is a vulnerability in the browser side and has already fixed it during the past weekend. The patch is scheduled for release with the next set of Firefox and Thunderbird 2.0.0.6 updates.

“We make real-time updates as we find out new information because we are committed to an open and transparent security process.”, noted Window Snyder on the mishap.