MozillaZine

Mozilla Firefox 2.0.0.5 Released with Fix for firefoxurl:// Exploit

Wednesday July 18th, 2007

Mozilla Firefox 2.0.0.5 has been released and is currently being distributed to Firefox 2 users via the application's built-in software update system. The browser upgrade fixes several security bugs, which are detailed in the Firefox 2.0.0.5 section of the Mozilla Foundation Security Advisories page.

Firefox 2.0.0.5 includes a fix for the firefoxurl:// security exploit, which allows an attacker to use Microsoft Internet Explorer to trick Firefox into executing malicious code. Whether Firefox or IE is responsible for the flaw has been a matter of debate over the past week. The Mozilla Foundation security advisory about the firefoxurl:// issue maintains that it's a problem in IE and notes that other applications could be exploited in the same way. Others have argued that it's Firefox's responsibility to vet incoming data (something 2.0.0.5 now does).

Firefox 2.0.0.5 can be downloaded from the Firefox product page. The Firefox 2.0.0.5 Release Notes contain more general information about the upgrade. A similar update for Mozilla Thunderbird is expected shortly.


#1 Clarification on the "argument"

by schapel

Wednesday July 18th, 2007 6:12 AM

Reply to this message

Just to clear the blame game up once and for all, both IE and Firefox are to blame. According to Thor Larholm:

"Internet Explorer and Firefox are both to blame. Firefox could have registered their URL protocol handler differently, for example with pure DDE, but IE is still to blame for not escaping (quote) characters."

<<http://blogs.zdnet.com/security/?p=362>>

#12 Re: Clarification on the "argument"

by FattMattP

Friday July 20th, 2007 10:22 AM

Reply to this message

Well, at least one of them is now fixed. :-)

#2 MFSA 2007-24

by AlexBishop <alex@mozillazine.org>

Wednesday July 18th, 2007 6:19 AM

Reply to this message

MFSA 2007-24 at <http://www.mozilla.org/se…nce/2007/mfsa2007-24.html> is amusing. It starts off with a standard description of the problem, then segues into a a thoroughly post-modern discussion about the severity:

"Dan says: 'stealing sensitive data' should be sg:high (possibly lowered to sg:moderate if it's a completely unreliable attack, involves unlikely user interaction, or not really any potential victim sites matching the criteria. There are enough ajaxy sites potentially vulnerable to stick with 'high') Boris, which is it? Can you massage this description into just the cases we know about?"

Alex

#3 MSIE Bug

by HwC

Wednesday July 18th, 2007 7:20 AM

Reply to this message

Good for Firefox! It doesn't matter who's at fault. If it harms Fx users, Fx should fix it and let M$ squabble and point fingers and look like idiots. If it only happens when Fx is installed on system, I assume people are running both browsers, side-by-side as a test. It's good to make Fx look best and most concerned with their users' safety and protection.

#4 I agree

by EyesOnly

Wednesday July 18th, 2007 10:38 AM

Reply to this message

I agree with HwC in what he said above. The fact that Mozilla fixed this First and Foremost kind of leaves M$ sitting there now with egg on their faces showing the world just how much, and how serious they are, about their client's/user's security.

BRAVO Mozilla! Two thumbs up for yet another job well done!

Amicalement,

Eyes-Only/L'Peau-Rouge

#5 x86_64 Linux version ?

by mhenriday <mhenriday@gmail.com>

Wednesday July 18th, 2007 12:01 PM

Reply to this message

I fully agree - Mozilla has acquited itself very well indeed in this incident - much better (to, I suspect, no one's surprise) than Microsoft. But one question : is there a native x86_64 version for Linux, or are we going to have to force the architecture to conform to 32-bit standards, as in so many other applications ?...

Henri

#8 Re: x86_64 Linux version ?

by Aaron44126

Thursday July 19th, 2007 10:40 AM

Reply to this message

There is no official x86_64 version for Linux directly from Mozilla (never has been). You can build it yourself if you like, I believe there are instructions for this floating around the internet.

Typically, if you have an x86_64 Linux distro, an x86_64 version of Firefox is provided by the people behind it and updates are delivered through the distro's online package system. (This is how it is in Fedora anyway, which I use from time to time.)

#6 What is the status of Thunderbird ?

by bjherbison <bj@herbison.com>

Wednesday July 18th, 2007 5:07 PM

Reply to this message

The US-CERT says there's also a Thunderbird 2.0.0.5. <http://www.us-cert.gov/ca…techalerts/TA07-199A.html> B.J.

#10 Re: What is the status of Thunderbird ?

by bjherbison <bj@herbison.com>

Friday July 20th, 2007 1:23 AM

Reply to this message

To answer my own question, a Thunderbird update is now available. B.J.

#7 Useless to blame anyone

by Kurtis

Wednesday July 18th, 2007 5:48 PM

Reply to this message

As I stated in the other topic, I launched the proof of concept from SeaMonkey, a fellow Gecko application, not Internet Explorer. I don't see why IE should be blamed when it's not the only one that is vulnerable of executing the exploit. In any case, it's just good that it's fixed now. I don't really care who is at fault, just that there's an official fix for the problem.

#9 Mozilla Firefox, Portable Edition 2.0.0.5 Released

by CritterNYC

Thursday July 19th, 2007 12:46 PM

Reply to this message

The portable version of Firefox that runs from USB flash drives, iPods, portable hard drives, etc has been updated to 2.0.0.5 as well: <http://portableapps.com/n…_firefox_portable_2.0.0.5>

#11 Two Questions

by DERoss

Friday July 20th, 2007 9:28 AM

Reply to this message

1. With all the public disclosures about the vulnerability, why is access to bug #384384 still restricted? Try viewing <https://bugzilla.mozilla.…rg/show_bug.cgi?id=384384>

2. What purposes do the firefoxURL and firefoxHTML protocols serve? I have seen comments that the protocols are for interfacing with Windows Vista but no specifics.

#13 I use SuSE Linux...so I dont need this release ;)

by Caetck

Thursday July 26th, 2007 5:06 PM

Reply to this message

I use SuSE Linux...so I dont need this release ;) Thank goodness for that! ~Amber~

#15 chat

by sohbetoda <benasimavi@mynet.com>

Thursday January 29th, 2009 12:10 PM

Reply to this message

very good work.thank you <http://www.sevgibagi.net>