Thursday, July 12th 2007

Incompatibility Between Firefox and Internet Explorer Causes Security Hole

by
HellasVagabond
Discuss (37 Comments)
If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur.
The trouble begins when visiting a site with malicious content while using IE. The site then registers a "firefoxurl://" URI (uniform resource identifier) handler, that gives access to that site and allows it to interact with IE.

The Security researcher named Thor Larholm who discovered the Security Hole and Symantec put much of the blame on IE, while Secunia's chief technology researcher named Thomas Kristensen, blamed FireFox for this Security Issue.

Source : Zdnet

Related News

Add your own comment

37 Comments on Incompatibility Between Firefox and Internet Explorer Causes Security Hole

#1
cmberry20
75 Posts
"If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur."

That quote in it self will apply to 99% of PC users as IE comes fully installed on all XP & Vista machines.
So just installing Mozilla will causes this scenario to happen.
Posted on Reply
#2
GJSNeptune
1000 Posts
by: cmberry20
So just installing Mozilla will causes this scenario to happen.
Not quite. You have to be using IE, and "Mozilla" is just a company. ;)

Firefox is the vehicle, but it's relaly IE's fault.
"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm
Posted on Reply
#3
Darknova
3500 Posts
HAHAH, they BOTH are too blame. IE for having the security flaw...and Firefox for...oh yeah, having the security flaw.
Posted on Reply
#4
GJSNeptune
1000 Posts
Firefox's only involvement is being installed.
Posted on Reply
#5
Darknova
3500 Posts
by: GJSNeptune
Firefox's only involvement is being installed.
If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
Posted on Reply
#6
Telexen
5 Posts
by: Darknova
If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
But if it's installed on Linux, where IE doesn't belong - then it has no problem :D
Posted on Reply
#7
GJSNeptune
1000 Posts
by: Darknova
If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
It's a flaw because it takes advantage of IE when Firefox is installed. It has nothing to do with Firefox. It's entirely IE's shortcomings that makes this a risk.
The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.
I'll quote this yet again:
"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping ... characters when passing on the input to the command line," said Larholm.
Posted on Reply
#8
Darknova
3500 Posts
"It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."
It is not entirely IE's fault. I understand exactly how the risk came about, I understand how it is attacked, and I understand the under lying fault is with IE. However without FF there is no problem, as FF, in a sense, opening up the hole.

I still agree entirely that it is mostly IEs fault, but FF is not entirely blameless.
Posted on Reply
#9
Dippyskoodlez
3500 Posts
by: Darknova
It is not entirely IE's fault. I understand exactly how the risk came about, I understand how it is attacked, and I understand the under lying fault is with IE. However without FF there is no problem, as FF, in a sense, opening up the hole.

I still agree entirely that it is mostly IEs fault, but FF is not entirely blameless.
But... Can this be used if something other than firefox were to use the same method?

Its ie.. :laugh:
Posted on Reply
#10
Benpi
Banned
If you're an anti-MS club member (or own a mac), then this is 100% IE's fault. If you're in the MS fanclub, it's FireFox's fault. If you really don't give a shart, it's both of their fault.
Posted on Reply
#11
GJSNeptune
1000 Posts
There is skewed logic working here. The flaw exploits a hole in IE, but it only works if Firefox is installed. Firefox has nothing to do with IE not escaping characters. If a patch comes out, it'd be for IE, not Firefox.
Posted on Reply
#12
Dippyskoodlez
3500 Posts
by: GJSNeptune
There is skewed logic working here. The flaw exploits a hole in IE, but it only works if Firefox is installed. Firefox has nothing to do with IE not escaping characters. If a patch comes out, it'd be for IE, not Firefox.
Exactly.

If you wanna scrape it up to fanboi-ism, GTFO.

The fix will be for IE.
Posted on Reply
#14
GJSNeptune
1000 Posts
Calm as can be. Don't know why the mods have been exaggerating intensity.
Posted on Reply
#15
HellasVagabond
2000 Posts
Anyways everybodys goal is for this to get fixed so no point arguing about IE and Firefox.
Both are Outstanding Browsers.
Posted on Reply
#17
HellasVagabond
2000 Posts
I like it far more than Firefox.....And im sure many people do also.....However lately MS is releasing updates once a month so no problems there :)
Posted on Reply
#18
demonbrawn
500 Posts
I personally like Firefox because of all the little free add-ons. Anyway, I don't think it really matters which program caused the issue as long as it gets fixed.
Posted on Reply
#19
GJSNeptune
1000 Posts
It matters when one is being falsely accused and criticized.
Posted on Reply
#20
HellasVagabond
2000 Posts
It takes both program faulty codes to create this mess GJSNeptune...Its not just 1 of those 2 thats bad.
Posted on Reply
#21
Ketxxx
Eligible for custom title
by: Darknova
If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.
The only flaw that was made was the creation of Internet Explorer.
Posted on Reply
#22
WarEagleAU
Bird of Prey
Firefox is the bomb. Safe and secure, but now it seems folks are targetting it. I guess they are tired of everyone ragging IE
Posted on Reply
#23
Dippyskoodlez
3500 Posts
by: HellasVagabond
It takes both program faulty codes to create this mess GJSNeptune...Its not just 1 of those 2 thats bad.
It sounds like IE is not handling certain text correctly... enabling something to take advantage of an internal link ability of firefox... with this, simply patching IE would....... solve the problem, would it not?
Posted on Reply
#24
HellasVagabond
2000 Posts
We will see...If MS is the only one to release a patch yes, but if Mozilla releases an update too then no :)
Posted on Reply
#25
GJSNeptune
1000 Posts
I give up. People are still not understanding and I've explained it too many times already.
Posted on Reply
Add your own comment