Mozilla patches overdue Firefox protocol handler bug

Computerworld - Mozilla Corp. on Monday patched six vulnerabilities in Firefox, including a flaw that gained notoriety because it went unfixed for most of the year.

Firefox 2.0.0.10, the ninth security update to the open-source browser this year, patched two bugs associated with the jar: uniform resource identifier (URI) protocol handler. The original flaw was reported in early February, but work on a fix languished until three weeks ago, when a U.K. researcher reported that applications that allow uploading of jar or Zip files are vulnerable to cross-site scripting attacks. Cross-site scripting vulnerabilities are most often used by identity thieves and malware authors to steal passwords or spread malicious code.

Days later, another researcher upped the ante and produced exploit that combined the jar: vulnerability with a separate bug in Google Inc.'s Gmail to let him access another user's Web e-mail address book.

"Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar," the Mozilla advisory read. "Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types."

Mozilla has patched URI protocol handler vulnerabilities several times since July. Then, Firefox and Internet Explorer backers argued over which company, Mozilla or Microsoft Corp., was responsible for making repairs. In October, Microsoft conceded that it would patch protocol handlers it registers, but maintained that third-party developers had to do their part and fix bugs in any handlers they registered. Before Microsoft got around to releasing a fix, however, Adobe System Inc. was forced to patch protocol handler flaws that were being exploited by attackers using malformed PDF files.

Firefox 2.0.0.10 also fixed a flaw that could be used to launch cross-site request forgery attacks, which inject malicious commands into legitimate Web sites. Additionally, Mozilla said it patched three unspecified memory corruption bugs that posed immediate stability problems -- in some situations they could cause the browser to crash -- and might be exploitable enough to create attack opportunities.

The new version of the browser can be downloaded from Mozilla in versions for Windows, Mac OS X and Linux. Current Firefox users should be notified of 2.0.0.10's availability in the next day or two by the browser's automatic update tool.