Mozilla admits Firefox is flawed just like IE
What's a 'critical vulnerability' for the goose is apparently the same for the gander
Computerworld - In a public mea culpa, Mozilla Corp.'s chief security officer acknowledged today that Firefox includes the same flaw that the company called a "critical vulnerability" in Internet Explorer during a two-week ruckus over responsibility for a Windows zero-day bug.
"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point," said Window Snyder of Mozilla. "While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.
"We thought this was just a problem with IE," Snyder continued. "It turns out, it is a problem with Firefox as well."
The argument over responsibility for a flaw that involved both IE and Firefox began two weeks ago, when Danish researcher Thor Larholm argued that IE contained an input validation bug that passes potentially malicious URLs to other applications. Larholm called out Firefox's "firefoxurl://" protocol as one that IE mishandled. He staked out the position that IE was to blame, while other security experts said it was Firefox's fault.
As fingers pointed, Mozilla patched the IE-Firefox interaction bug by releasing an update, Version 126.96.36.199. Even so, Snyder and others continued to argue that IE was the problem. "Microsoft needs to patch Internet Explorer," Snyder said last Wednesday. That same day, Asa Dotzler, director of community development, contrasted what he said were the differences between Microsoft and Mozilla on the bug. "We think it's Firefox's job to ensure that users are protected from malicious Web sites when they're surfing the Web in Firefox. Apparently, Microsoft doesn't think the same for IE," Dotzler said then.
Friday, Jesper Johansson, a former Microsoft security strategist but now a security program manager at Amazon.com Inc., spelled out how Firefox was as guilty as IE of failing to validate input. In a post that leaned on the metaphor of "glass houses," Johansson showed how Firefox passes potentially malicious URLs to other applications, including the multiple-service instant messaging client Trillian. "Firefox is subject to the exact same flaw that they blame on IE. Firefox also does not escape quotes in URLs before it passes them on to protocol handlers," he said.
Snyder did not credit Johansson by name for alerting Mozilla to the Firefox bug, but she admitted that the flaw should have been spotted. "We should have caught this scenario when we fixed the related problem in 188.8.131.52," she said.
She did not specify when a patch would be issued, but one is in the works, according to an entry in Bugzilla.
Related News and Discussion:
- Hacking Firefox: The secrets of about:config
- Mozilla patches Firefox, slams door on IE zero-day
- Browser Smackdown: Firefox vs. IE vs. Opera vs. Safari
- Preston Gralla: Why Firefox has lost its mojo
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts