31 July 2007, 13:19

New version of Firefox with security fix for URI vulnerability

The Mozilla developers have released version 2.0.0.6 of the Firefox browser. It includes a further fix for the the special URL handling problem, which, under Windows XP with Internet Explorer 7 installed, allows attackers to call arbitrary installed programs. This can be accomplished merely by using crafted links on web pages or in e-mails.

Firefox 2.0.0.6 contains the patch announced yesterday (Monday) by Daniel Veditz, which fixes a vulnerability in the way URLs with embedded quotation marks are processed. The patch also solves the problem with the way URLs containing %00 or % characters are processed, exploitation of which allows installed applications to be called. The development team explains in a security advisory that the solution is not yet completely solid, but that all known exploits to date are prevented from working - in tests at heise Security, following the known crafted links did indeed no longer have any effect. As Veditz explained to heise Security yesterday (Monday), publication of the new version buys the developers time to develop a better solution to the problem.

The latest version fixes a further security hole which had arisen in the previous version as a result of a patch for a frame spoofing security vulnerability. This could permit attackers to escalate their privileges for, for example, JavaScript, using crafted web pages. In their security advisory, Mozilla also announce the release of Thunderbird 2.0.0.6, 1.0.5.13 and SeaMonkey 1.1.4, which also fix the vulnerabilities. However, the new versions have not yet appeared on the download servers.