New version of Firefox with security fix for URI vulnerability
The Mozilla developers have released version 220.127.116.11 of the Firefox browser. It includes a further fix for the the special URL handling problem, which, under Windows XP with Internet Explorer 7 installed, allows attackers to call arbitrary installed programs. This can be accomplished merely by using crafted links on web pages or in e-mails.
Firefox 18.104.22.168 contains the patch announced yesterday (Monday) by Daniel Veditz, which fixes a vulnerability in the way URLs with embedded quotation marks are processed. The patch also solves the problem with the way URLs containing %00 or % characters are processed, exploitation of which allows installed applications to be called. The development team explains in a security advisory that the solution is not yet completely solid, but that all known exploits to date are prevented from working - in tests at heise Security, following the known crafted links did indeed no longer have any effect. As Veditz explained to heise Security yesterday (Monday), publication of the new version buys the developers time to develop a better solution to the problem.
- Skype also affected by supposed "Firefox vulnerability", report by heise Security
- Privilege escalation through chrome-loaded about:blank windows, security advisory from the Mozilla development team
- Unescaped URIs passed to external programs, security advisory from the Mozilla development team
- Release notes for the new version of Firefox
- Download Firefox 22.214.171.124