Bug to cause data leakage

Aug 16, 2007 20:06 GMT  ·  By

Some browsers can be corrupted to give out information from the computer, or worse: if properly exploited by a hacker, they can let him use malicious software upon the target's machine.

Specialists in security have stated that exploits will affect users that have Firefox installed on their PC, and that hacks can emerge by using the relations between browsers. One great flaw to affect security has been discovered between Internet Explorer and Mozilla's browser. But that is not all. IE, which sometimes fails to filter data correctly, can cause problems in combination with Netscape Navigator and Trillian as well.

Security expert Billy Rios says this is "just the tip of the iceberg" since there are many more URI (Uniform Resource Identifier) related issues than the ones that Internet Explorer has, many more browsers having problems with "sanitizing parameters passed to URI handlers". So, basically, the computer does not double check if the command given to it does not come from an outside user that would harm the PC.

As NETWORKWORLD informs us, many security researchers that have taken a look at this problem state that a bug based on the relationship between Firefox and Internet Explorer could cause the computer to be at the attacker's mercy. As Thor Larholm explained, Firefox has its own protocol handler, called FirefoxURL, when Internet Explorer finds something that refers to data inside the FirefoxURL it ends up passing the whole request URI, with zero input validation. He also explained that you may specify any arguments to the Firefox .exe file, for your request, and exploiting this feature, one could add Javascript code and then execute it, with the prerogatives of a trusted content. Seems hard for a normal user to think or comprehend this method; it can't be too difficult for hackers though.

Bugs in the Uniform Resource Identifier, otherwise known as URI, are pretty nasty, since this a protocol used by Windows to launch programs. Having corrupted it, one hacker may easily use it in order to steal information from one's computer.