14 DAY TRIAL // Mozilla recommends their own Firefox open source browser over the rival Internet Explorer following the disclosure of the Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection vulnerability. The security flaw impacts Internet Explorer through Firefox, as a direct result of the interaction between the two browsers when they are installed on the same system. While navigating a malicious website with IE, users are exposed to remote code execution via Firefox, executed in an eventual attack, as the open source browser will not validate the input from Internet Explorer. While Microsoft's position is that Firefox is at fault, Mozilla has already released a security patch at its end, with Firefox 2.0.0.5, but claims that IE is also affected.
Mozilla even managed to come up with an interesting workaround. "Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer," stated Mozilla security chief Window Snyder. "This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to," Snyder added.
"Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol.The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a "-chrome" option that could be used to run malware. Other Windows applications can be called in this way and also manipulated to execute malicious code," Mozilla informed.
Meanwhile, Microsoft offered a different perspective stating that IE is safe. Still, users of IE7 on Windows Vista, that also have Firefox 2.0 installed, should immediately apply the 2.0.0.5 security update as exploits will circumvent IE7's Protect Mode and completely compromise Vista.