Mozilla Firefox 2.0.0.5 Released with Fix for firefoxurl:// Exploit

Wednesday July 18th, 2007

Mozilla Firefox 2.0.0.5 has been released and is currently being distributed to Firefox 2 users via the application's built-in software update system. The browser upgrade fixes several security bugs, which are detailed in the Firefox 2.0.0.5 section of the Mozilla Foundation Security Advisories page.

Firefox 2.0.0.5 includes a fix for the firefoxurl:// security exploit, which allows an attacker to use Microsoft Internet Explorer to trick Firefox into executing malicious code. Whether Firefox or IE is responsible for the flaw has been a matter of debate over the past week. The Mozilla Foundation security advisory about the firefoxurl:// issue maintains that it's a problem in IE and notes that other applications could be exploited in the same way. Others have argued that it's Firefox's responsibility to vet incoming data (something 2.0.0.5 now does).

Firefox 2.0.0.5 can be downloaded from the Firefox product page. The Firefox 2.0.0.5 Release Notes contain more general information about the upgrade. A similar update for Mozilla Thunderbird is expected shortly.

#1 Clarification on the "argument"

by schapel

Wednesday July 18th, 2007 6:12 AM

Just to clear the blame game up once and for all, both IE and Firefox are to blame. According to Thor Larholm:

"Internet Explorer and Firefox are both to blame. Firefox could have registered their URL protocol handler differently, for example with pure DDE, but IE is still to blame for not escaping ” (quote) characters."

<http://blogs.zdnet.com/security/?p=362>

#12 Re: Clarification on the "argument"

by FattMattP

Friday July 20th, 2007 10:22 AM

Well, at least one of them is now fixed. :-)

#2 MFSA 2007-24

by AlexBishop

Wednesday July 18th, 2007 6:19 AM

MFSA 2007-24 at http://www.mozilla.org/security/announce/2007/mfsa2007-24.html is amusing. It starts off with a standard description of the problem, then segues into a a thoroughly post-modern discussion about the severity:

"Dan says: 'stealing sensitive data' should be sg:high (possibly lowered to sg:moderate if it's a completely unreliable attack, involves unlikely user interaction, or not really any potential victim sites matching the criteria. There are enough ajaxy sites potentially vulnerable to stick with 'high') Boris, which is it? Can you massage this description into just the cases we know about?"

Alex

#3 MSIE Bug

by HwC

Wednesday July 18th, 2007 7:20 AM

Good for Firefox! It doesn't matter who's at fault. If it harms Fx users, Fx should fix it and let M$ squabble and point fingers and look like idiots. If it only happens when Fx is installed on system, I assume people are running both browsers, side-by-side as a test. It's good to make Fx look best and most concerned with their users' safety and protection.

#4 I agree

by EyesOnly

Wednesday July 18th, 2007 10:38 AM

I agree with HwC in what he said above. The fact that Mozilla fixed this First and Foremost kind of leaves M$ sitting there now with egg on their faces showing the world just how much, and how serious they are, about their client's/user's security.

BRAVO Mozilla! Two thumbs up for yet another job well done!

Amicalement,

Eyes-Only/L'Peau-Rouge

#5 x86_64 Linux version ?

by mhenriday

Wednesday July 18th, 2007 12:01 PM

I fully agree - Mozilla has acquited itself very well indeed in this incident - much better (to, I suspect, no one's surprise) than Microsoft. But one question : is there a native x86_64 version for Linux, or are we going to have to force the architecture to conform to 32-bit standards, as in so many other applications ?...

Henri

#8 Re: x86_64 Linux version ?

by Aaron44126

Thursday July 19th, 2007 10:40 AM

There is no official x86_64 version for Linux directly from Mozilla (never has been). You can build it yourself if you like, I believe there are instructions for this floating around the internet.

Typically, if you have an x86_64 Linux distro, an x86_64 version of Firefox is provided by the people behind it and updates are delivered through the distro's online package system. (This is how it is in Fedora anyway, which I use from time to time.)

#6 What is the status of Thunderbird ?

by bjherbison

Wednesday July 18th, 2007 5:07 PM

The US-CERT says there's also a Thunderbird 2.0.0.5. http://www.us-cert.gov/cas/techalerts/TA07-199A.html B.J.

#10 Re: What is the status of Thunderbird ?

by bjherbison

Friday July 20th, 2007 1:23 AM

To answer my own question, a Thunderbird update is now available. B.J.

#7 Useless to blame anyone

by Kurtis

Wednesday July 18th, 2007 5:48 PM

As I stated in the other topic, I launched the proof of concept from SeaMonkey, a fellow Gecko application, not Internet Explorer. I don't see why IE should be blamed when it's not the only one that is vulnerable of executing the exploit. In any case, it's just good that it's fixed now. I don't really care who is at fault, just that there's an official fix for the problem.

#9 Mozilla Firefox, Portable Edition 2.0.0.5 Released

by CritterNYC

Thursday July 19th, 2007 12:46 PM

The portable version of Firefox that runs from USB flash drives, iPods, portable hard drives, etc has been updated to 2.0.0.5 as well: http://portableapps.com/news/2007-07-18_-_firefox_portable_2.0.0.5

#11 Two Questions

by DERoss

Friday July 20th, 2007 9:28 AM

1. With all the public disclosures about the vulnerability, why is access to bug #384384 still restricted? Try viewing https://bugzilla.mozilla.org/show_bug.cgi?id=384384

2. What purposes do the firefoxURL and firefoxHTML protocols serve? I have seen comments that the protocols are for interfacing with Windows Vista but no specifics.

#13 I use SuSE Linux...so I dont need this release ;)

by Caetck

Thursday July 26th, 2007 5:06 PM

I use SuSE Linux...so I dont need this release ;) Thank goodness for that! ~Amber~