When You Mix Firefox And IE, You Risk A Critical Zero-Day FlawWhen You Mix Firefox And IE, You Risk A Critical Zero-Day Flaw

Mozilla is working on a patch for a "highly critical" security flaw that's affecting both Firefox and Microsoft's Internet Explorer.

While there's been online disagreement about whether Microsoft or Mozilla is responsible for the problem, Window Snyder, who has the unusual title of "chief security something-or-other at Mozilla," said in a blog post that they will be taking care of the issue. "Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to mitigate the problem," she wrote. "This will prevent IE from sending Firefox malicious data."

Security researcher Thor Larholm calls the vulnerability an input validation flaw in Internet Explorer, adding that it's the same type of bug that he had earlier found in Apple's Safari 3 beta. He explained in his blog that when Firefox is installed, it registers a URL protocol handler. When IE encounters a reference to content inside the FirefoxURL URL scheme, it calls ShellExecute with the EXE image path and passes the entire request URL without any input validation.

That means if someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL. Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

Security researchers at Secunia are calling the flaw a "highly critical" vulnerability in Firefox. And researchers at SecurityFocus call it a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability.

In an e-mail to information, a Microsoft spokesman wrote, "Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."

Snyder noted in her blog that using Firefox alone does not cause the problem. "It is important to note that if you are using Firefox to browse the Web, you are not vulnerable to this attack," she said. "While we have seen no evidence of attackers exploiting this issue, there is proof of concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown Web sites."

Swa Frantzen, a handler at the Internet Storm Center, simply warns users and IT administrators that an IE user working on a machine that has Firefox installed on it is at risk. A work around is to remove the URL handlers that Firefox installs in the registry.

"This, however, goes to show that even unused but installed client programs might be a threat on your client system," wrote Frantzen in his blog. "Hence, you need to take care of vulnerabilities in software that you don't even use."