Browser

Firefox critical security vulnerability


Security firm Secunia issued an alert today that open-source browser Firefox has a highly critical security vulnerability.

Like the zero-day exploit of Safari for Windows noted last month and also discussed at MacOSXHints, the breach deals with a 'URL handler', which allows the extension of a browser to add new features or allow existing features to be modified. Early reports laid it at the feet of IE, but the bus is within Firefox as per sources.

Secunia recommends:

Do not browse untrusted sites.

Disable the "Firefox URL" URL handler.

No solution for any system is found yet in the Mozilla Foundation Security Advisories.

How will you handle this? Join the discussion.

7 comments
jlavellx
jlavellx

I shouldn't have to work for my OS, The operating system should work for me! And I agree, dangerous to rely on one operating system, it's been proven to & time again! Linux is the way my friend!

TechExec2
TechExec2

. I'm with Neil Higgins on this. My workstation runs Firefox 2 on Linux. I tested the "demo" of this vulnerability. My system was not affected. I get the following message: [i]"...Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program..."[/i] I have been much less concerned about malware ever since I switched to Linux a few months ago. Today is just another great day unaffected by Windows malware...

K7AAY
K7AAY

Will you a) avoid unknown web sites b) troll through the Registry c) search forums for a fix procedure, or d) wait for Mozilla to release a fix?

NOW LEFT TR
NOW LEFT TR

"Then one day a lawman came with powers of hawk, wolf, puma, and bear" Get my drift? Mind you I use a VMWare browser setup so I have no worries on XP SP2 either.

grax
grax

Whilst the advise given earlier (Linux) is well taken, the discussion seems to have been prematurely deflected (as so often happens!). So, returning to the original question; ?a) avoid unknown web sites? I won?t be doing that because I?m not sure whether a web site is ?unknown? or not. In fact, this is a nonsense so forget ?a?. ?b) troll through the Registry? Didn?t he mean ?trawl?? A Troll is something else. (You could argue that it's what I'm being now, but do read on.) ?c) search forums for a fix procedure? Now that is a more positive idea but may take us to ?unknown? web sites and usually ends up in time wasted because of deflected discussions. The point of the original post was to start a discussion by flagging a warning. That?s fair enough but, too often, it?s counter-productive. A waste of time and bandwidth. I have concerns about these sorts of warnings. For instance: did they tell Mozilla before going public? Too often they don?t and simply create a loaded gun for the bad guys. Of course, Secuna do offer an ?Extended Solution? ? but only if you?re a paying customer. So, a Win-Win for Secuna! Also, the publicly proposed ?cure? is not satisfactory, nor is it complete. I discovered, from other sources (http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html) that installing the Add-On NoScript solves the problem. I?ve been using this for some time anyway. Whilst it can be irritating I find it most instructive as it tells one a lot about the sites that are visited. One word of warning:- TechRepublic?s web site fails if NoScript is in use. It might surprise you to see the crud on there. I don't know for certain that NoScript does sort this but I've had no problems. So, perhaps we could discuss a solution that works for those who are "stuck" in the Windows World.

Neil Higgins
Neil Higgins

Just use a linux distro,as it only affects XP.

TechExec2
TechExec2

. This was not gratuitous gloating, even though it could easily be mistaken for that. It's not "whistling past the graveyard" either. The message is: People can switch away from Windows (to Linux in my case) and do everything they need to do very well. And, there are some benefits including fewer malware threats. It's not healthy for all of us to be so dependent on Microsoft (in reality or just perceived). It enables Microsoft to severely abuse the relationship and it makes everyone feel so powerless. Microsoft is abusing us. I want a more honest relationship with Microsoft. Defecting is really the only way to ever have a chance of getting there. I want to see Windows at 50% market share.

Editor's Picks