Microsoft scores points in the security ping-pong with Mozilla
The Firefox version 184.108.40.206 released by the Mozilla team has fixed a bug that could be exploited through Internet Explorer by calling Firefox as handler with a specially crafted URL. When the bug had been fixed, Window Snyder, Mozilla's chief security officer , warned that this update did not fix the critical vulnerability in Internet Explorer and thus, did not eliminate the related security risk: it would be Microsoft’s job to patch the bug. Indeed, Nate McFeters has demonstrated that the same mechanism could be exploited via IE to inject arbitrary code into the Trillian instant messenger.
The problem is that URLs containing quotation marks could be passed to the launched application in several parts, which are interpreted as separate parameters. According to Snyder, it is the browser's task to filter these quotation marks. The IE team, on the other hand, claims that this is not a bug in Internet Explorer. Rather, the handler, which registers for a URL type, must filter it properly. This attitude is also reflected in the documentation found in the MSDN.
This difference of opinion triggered fierce discussions concerning who the real culprit is. The latest salvo has been landed by the former Microsoft security strategist Jesper Johansson. In his quite nasty blog entry "Hey, Mozilla: Quotes Are Not Legal in a URL", he demonstrates in detail that Mozilla behaves exactly like Internet Explorer and fails to filter URLs before passing them to external applications.
Slightly embarrassed, Mozilla's Snyder has admitted, without referring to Johansson's blog, that in fact, Firefox, too, has a security problem when launching external applications and that this problem is currently under examination. She also admits that this bug should have been detected and fixed when the update for version 220.127.116.11 was created. Anyway, a patch has been made available in the bug database.
This may be a chance to return to technical discussions instead of blaming each other. Application vendors and users alike would appreciate if the two largest browser vendors could co-operate to find an answer to the question whether it is the browser's task to filter URLs or not.