Thursday, July 12th 2007

Incompatibility Between Firefox and Internet Explorer Causes Security Hole

by
HellasVagabond
 Discuss (37 Comments)
If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur.

The trouble begins when visiting a site with malicious content while using IE. The site then registers a "firefoxurl://" URI (uniform resource identifier) handler, that gives access to that site and allows it to interact with IE.

The Security researcher named Thor Larholm who discovered the Security Hole and Symantec put much of the blame on IE, while Secunia's chief technology researcher named Thomas Kristensen, blamed FireFox for this Security Issue.

Source : Zdnet

Related News

Add your own comment

37 Comments on Incompatibility Between Firefox and Internet Explorer Causes Security Hole

#1
cmberry20
"If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur."

That quote in it self will apply to 99% of PC users as IE comes fully installed on all XP & Vista machines.
So just installing Mozilla will causes this scenario to happen.
Posted on Reply
#2
GJSNeptune
cmberry20So just installing Mozilla will causes this scenario to happen.
Not quite. You have to be using IE, and "Mozilla" is just a company. ;)

Firefox is the vehicle, but it's relaly IE's fault.
"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm
Posted on Reply
#3
Darknova
HAHAH, they BOTH are too blame. IE for having the security flaw...and Firefox for...oh yeah, having the security flaw.
Posted on Reply
#4
GJSNeptune
Firefox's only involvement is being installed.
Posted on Reply
#5
Darknova
GJSNeptuneFirefox's only involvement is being installed.
If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
Posted on Reply
#6
Telexen
DarknovaIf it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
But if it's installed on Linux, where IE doesn't belong - then it has no problem :D
Posted on Reply
#7
GJSNeptune
DarknovaIf it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
It's a flaw because it takes advantage of IE when Firefox is installed. It has nothing to do with Firefox. It's entirely IE's shortcomings that makes this a risk.
The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.
I'll quote this yet again:
"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping ... characters when passing on the input to the command line," said Larholm.
Posted on Reply
#8
Darknova
"It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."
It is not entirely IE's fault. I understand exactly how the risk came about, I understand how it is attacked, and I understand the under lying fault is with IE. However without FF there is no problem, as FF, in a sense, opening up the hole.

I still agree entirely that it is mostly IEs fault, but FF is not entirely blameless.
Posted on Reply
#9
Dippyskoodlez
DarknovaIt is not entirely IE's fault. I understand exactly how the risk came about, I understand how it is attacked, and I understand the under lying fault is with IE. However without FF there is no problem, as FF, in a sense, opening up the hole.

I still agree entirely that it is mostly IEs fault, but FF is not entirely blameless.
But... Can this be used if something other than firefox were to use the same method?

Its ie.. :laugh:
Posted on Reply
#10
Benpi
If you're an anti-MS club member (or own a mac), then this is 100% IE's fault. If you're in the MS fanclub, it's FireFox's fault. If you really don't give a shart, it's both of their fault.
Posted on Reply
#11
GJSNeptune
There is skewed logic working here. The flaw exploits a hole in IE, but it only works if Firefox is installed. Firefox has nothing to do with IE not escaping characters. If a patch comes out, it'd be for IE, not Firefox.
Posted on Reply
#12
Dippyskoodlez
GJSNeptuneThere is skewed logic working here. The flaw exploits a hole in IE, but it only works if Firefox is installed. Firefox has nothing to do with IE not escaping characters. If a patch comes out, it'd be for IE, not Firefox.
Exactly.

If you wanna scrape it up to fanboi-ism, GTFO.

The fix will be for IE.
Posted on Reply
#14
GJSNeptune
Calm as can be. Don't know why the mods have been exaggerating intensity.
Posted on Reply
#15
HellasVagabond
Anyways everybodys goal is for this to get fixed so no point arguing about IE and Firefox.
Both are Outstanding Browsers.
Posted on Reply
#17
HellasVagabond
I like it far more than Firefox.....And im sure many people do also.....However lately MS is releasing updates once a month so no problems there :)
Posted on Reply
#18
demonbrawn
I personally like Firefox because of all the little free add-ons. Anyway, I don't think it really matters which program caused the issue as long as it gets fixed.
Posted on Reply
#19
GJSNeptune
It matters when one is being falsely accused and criticized.
Posted on Reply
#20
HellasVagabond
It takes both program faulty codes to create this mess GJSNeptune...Its not just 1 of those 2 thats bad.
Posted on Reply
#21
Ketxxx
Heedless Psychic
DarknovaIf it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
The only flaw that was made was the creation of Internet Explorer.
Posted on Reply
#22
WarEagleAU
Bird of Prey
Firefox is the bomb. Safe and secure, but now it seems folks are targetting it. I guess they are tired of everyone ragging IE
Posted on Reply
#23
Dippyskoodlez
HellasVagabondIt takes both program faulty codes to create this mess GJSNeptune...Its not just 1 of those 2 thats bad.
It sounds like IE is not handling certain text correctly... enabling something to take advantage of an internal link ability of firefox... with this, simply patching IE would....... solve the problem, would it not?
Posted on Reply
#24
HellasVagabond
We will see...If MS is the only one to release a patch yes, but if Mozilla releases an update too then no :)
Posted on Reply
#25
GJSNeptune
I give up. People are still not understanding and I've explained it too many times already.
Posted on Reply
Add your own comment
Nov 22nd, 2024 16:42 EST change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts