MozillaZine

Mozilla Firefox 2.0.0.6 Released

Tuesday July 31st, 2007

Mozilla Firefox 2.0.0.6 has been released. This browser upgrade fixes two security flaws, which are detailed in the Firefox 2.0.0.6 section of the Mozilla Foundation Security Advisories page.

The more serious flaw involves Firefox not percent-encoding spaces and double quotes in URLs passed to helper applications, which can allow malicious webpages to open programs with potentially dangerous command line parameters. The other vulnerability is a privilege elevation bug involving extensions, which was accidentally introduced in Firefox 2.0.0.5.

The URL protocol handling flaw is a similar class of exploit to the firefoxurl:// URL vulnerability, which was fixed with the release of Firefox 2.0.0.5. In the original firefoxurl:// exploit, an attacker could use Microsoft Internet Explorer to launch Firefox with malicious command line parameters. In the flaw fixed in Firefox 2.0.0.6, Firefox is used as the attack vector to start other applications with dangerous arguments. The exploit could be extended to execute any program in a known location, possibly passing dangerous command line parameters.

Whether or not it's Firefox's responsibility to ensure that data passed to external applications is (relatively) safe is a matter for debate. When the original firefoxurl:// URL vulnerability was discovered, Microsoft claimed that IE was not at fault. However, as Mozilla maintained at the time that the blame lay with IE, it would have been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that "defense in depth is the best way to protect people" (although that weblog post says that only Windows is affected, discussion in bug 389106 indicates that Linux and Mac OS X may also be vulnerable).

Firefox prompts the user before launching most helper applications and shows the command line parameters, so users of vulnerable versions would receive some warning of an attack (though only the savvy are likely be knowledgeable enough to distinguish between safe and malicious command lines). However, some protocols related to email and newsgroups (specifically, mailto, news, nntp and snews) do not prompt the user before launching an external application, so vulnerable mail and newsgroups applications could be exploited with minimal user intervention (Thunderbird 2.0.0.4 and earlier is one such application, due to its variant of the firefoxurl:// problem).

More details about Firefox 2.0.0.6 can be found in the Firefox 2.0.0.6 Release Notes. The new version can be downloaded from the Firefox 2.0.0.6 product page. Existing Firefox 2 users with the software update feature enabled (it's on by default) will be prompted to upgrade. Equivalent releases of Thunderbird (both 2 and 1.5) and SeaMonkey are expected soon.


#1 not really the reason

by asa <asa@mozilla.org>

Tuesday July 31st, 2007 1:52 PM

Reply to this message

You said, "as Mozilla maintained at the time that the blame lay with IE, it would have been hypocritical not to fix the similar issue in Firefox."

I'd just like to point out that at the time we were calling on IE to fix this in their code, it was assumed (wrongly) that we had in the past suffered from this same problem and fixed it in our code. Our reason for fixing it then was not to avoid the appearance of hypocrisy, but because it's the right thing to do to protect users. Your phrasing suggests that you think Mozilla was somehow pressured by concerns over maintaining appearances or something like that and I just wanted to make it clear that was not the case.

- A

#2 Re: not really the reason

by roseman

Tuesday July 31st, 2007 6:57 PM

Reply to this message

does US-CERT now think this was more of a ms-Windows issue, in light of: <http://www.us-cert.gov/cu…ows_uri_protocol_handling>

"Microsoft Windows URI Protocol Handling Vulnerability"

?

#3 Re: not really the reason

by roseman

Tuesday July 31st, 2007 6:59 PM

Reply to this message

sorry, left out one US-CERT Knowledge-Base (KB) link: <http://www.kb.cert.org/vuls/id/403150>

entitled: "Vulnerability Note VU#403150 Microsoft Windows URI protocol handling vulnerability"

(sorry, meant to include this link in last reply)

#4 The vital issue here

by mhenriday <mhenriday@gmail.com>

Wednesday August 1st, 2007 9:49 AM

Reply to this message

is user protection, not spin and blame games. Thus, to the extent that she is correct in stating that «[o]ur reason for fixing it then was not to avoid the appearance of hypocrisy, but because it's the right thing to do to protect users», asa certainly has got her priorities right, as does Mozilla. Keep up the good work - it's highly appreciated !...

Henri

#5 Re: The vital name here

by roseman

Wednesday August 1st, 2007 10:35 AM

Reply to this message

pssst, (i think Asa is actually a "he", not a "she").

<http://en.wikipedia.org/wiki/Asa_Dotzler>

don't worry, i was thrown by the letter "a" at the end of the name once as well :(

#6 That "she" is ;)

by EyesOnly

Friday August 3rd, 2007 2:40 PM

Reply to this message

Yes, rest assured that Asa is very much so a "male of the species". ;) English names and nicknames, unlike those of so many other languages (like my native Akadien-French for example) don't necessarily denote gender by vowel endings. It's even difficult to tell by names themselves as in some parts of the English-speaking world "Shirley" is solely a woman's name whereas in some parts of the Southwestern USA it's a man's name, as well as "Marion", etc. Makes for interesting study.

Amicalement,

Eyes-Only/"L'Peau-Rouge"

#7 Firefox Major Version

by mike_thc

Monday October 15th, 2007 2:44 AM

Reply to this message

Hi everyone, do you have any rumors when the next major version of Firefox will be? I am waiting for a Firefox version targeted at Windows Vista. I use it in my web development because it is faster than Internet Explorer. Thanks.

#8 Love hate with firefox

by Orro

Tuesday October 16th, 2007 9:01 PM

Reply to this message

I love the way firefox windows can segregate tabs and keep everything neat. I hate though how activity on one window will kick you out of your current window. INCREDIBLY annoying. Whats worse is my firefox has started to crash when using chat programs. Now i have to use IE for those. THAT sucks.

Orro <http://www.dragonlasers.com>

#9 Re: Love hate with firefox

by boyankir <boyankir@gmail.com>

Wednesday October 29th, 2008 7:37 AM

Reply to this message

Thanks for your great effort. I believe Firefox will beat ie in the near future.

<http://www.laserto.com>