MozillaZine

Mozilla Firefox 2.0.0.5 Released with Fix for firefoxurl:// Exploit

Wednesday July 18th, 2007

Mozilla Firefox 2.0.0.5 has been released and is currently being distributed to Firefox 2 users via the application's built-in software update system. The browser upgrade fixes several security bugs, which are detailed in the Firefox 2.0.0.5 section of the Mozilla Foundation Security Advisories page.

Firefox 2.0.0.5 includes a fix for the firefoxurl:// security exploit, which allows an attacker to use Microsoft Internet Explorer to trick Firefox into executing malicious code. Whether Firefox or IE is responsible for the flaw has been a matter of debate over the past week. The Mozilla Foundation security advisory about the firefoxurl:// issue maintains that it's a problem in IE and notes that other applications could be exploited in the same way. Others have argued that it's Firefox's responsibility to vet incoming data (something 2.0.0.5 now does).

Firefox 2.0.0.5 can be downloaded from the Firefox product page. The Firefox 2.0.0.5 Release Notes contain more general information about the upgrade. A similar update for Mozilla Thunderbird is expected shortly.


#2 MFSA 2007-24

by AlexBishop <alex@mozillazine.org>

Wednesday July 18th, 2007 6:19 AM

You are replying to this message

MFSA 2007-24 at <http://www.mozilla.org/se…nce/2007/mfsa2007-24.html> is amusing. It starts off with a standard description of the problem, then segues into a a thoroughly post-modern discussion about the severity:

"Dan says: 'stealing sensitive data' should be sg:high (possibly lowered to sg:moderate if it's a completely unreliable attack, involves unlikely user interaction, or not really any potential victim sites matching the criteria. There are enough ajaxy sites potentially vulnerable to stick with 'high') Boris, which is it? Can you massage this description into just the cases we know about?"

Alex