Critical flaw found in Firefox 2.0.0.4


— 11:24 AM on July 10, 2007

Security research firm Secunia has uncovered a security flaw in the latest version of Firefox (2.0.0.4) that it labels "highly critical." The flaw can reportedly be exploited by malicious users in order to compromise a victim's machine. Secunia describes the flaw as follows:

The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
Secunia says it confirmed the vulnerability's presence in Firefox 2.0.0.4 on Windows XP Service Pack 2, and that "other versions may also be affected." Aside from simply avoiding malicious websites, Secunia CTO Thomas Kristensen tells CNet that system administrators can get around the hole by un-registering or removing the Firefox URI handler. Neither Kristensen nor CNet provides instructions for that procedure, however.
Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. GKey13 - $650 2. JohnC - $600 3. davidbowser - $501
4. cmpxchg - $500 5. DeadOfKnight - $400 6. danny e. - $375
7. the - $360 8. Ryszard - $351 9. rbattle - $350
10. Ryu Connor - $350
   
Register
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.