Security research firm Secunia has uncovered a security flaw in the latest version of Firefox (2.0.0.4) that it labels “highly critical.” The flaw can reportedly be exploited by malicious users in order to compromise a victim’s machine. Secunia describes the flaw as follows:
The problem is that Firefox registers the “firefoxurl://” URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the “-chrome” parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
Secunia says it confirmed the vulnerability’s presence in Firefox 2.0.0.4 on Windows XP Service Pack 2, and that “other versions may also be affected.” Aside from simply avoiding malicious websites, Secunia CTO Thomas Kristensen tells CNet that system administrators can get around the hole by un-registering or removing the Firefox URI handler. Neither Kristensen nor CNet provides instructions for that procedure, however.
