14 DAY TRIAL // Mozilla is right on track to dispelling the customer perception created around its open source browser, that the product is an epitome of security. Instead, thanks to a new perspective from Mozilla's chief security officer, Firefox no longer represents an apex of user protection but it is just as flawed as Microsoft's Internet Explorer is. This is how the position of Mozilla security chief Window Snyder can be interpreted at the end of a controversial guilt game between the open source Foundation and the Redmond Company over a critical security vulnerability affecting IE users via Firefox.
The Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection vulnerability is shared by both IE and Firefox. When initially discovered the flaw was belied to be associated with Internet Explorer and the way that Microsoft's browser managed registered URL protocols. The vulnerability allowed an attacker to invoke Firefox and then pass the URL to a malicious webpage to the open source browser. Although Mozilla patched the security vulnerability in Firefox 2.0, it claimed that IE7 was also impacted by the critical flaw, while its own browser was not at fault.
In the meantime, Snyder has changed her tune. Following new information unearthed over the weekend, it appears that Firefox 2.0 and Internet Explorer are equally vulnerable. "Internet Explorer was the entry point and Firefox was the application receiving the bad data. We learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application. We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we're investigating it now," Snyder stated.