Incompatibility Between Firefox and Internet Explorer Causes Security Hole

HellasVagabond · Jul 12, 2007, 11:30 AM

If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur.

The trouble begins when visiting a site with malicious content while using IE. The site then registers a "firefoxurl://" URI (uniform resource identifier) handler, that gives access to that site and allows it to interact with IE.

The Security researcher named Thor Larholm who discovered the Security Hole and Symantec put much of the blame on IE, while Secunia's chief technology researcher named Thomas Kristensen, blamed FireFox for this Security Issue.

Source : Zdnet

cmberry20 · Jul 12, 2007, 12:13 PM

"If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur."

That quote in it self will apply to 99% of PC users as IE comes fully installed on all XP & Vista machines.
So just installing Mozilla will causes this scenario to happen.

GJSNeptune · Jul 12, 2007, 12:28 PM

Quote:

Originally Posted by cmberry20

So just installing Mozilla will causes this scenario to happen.

Not quite. You have to be using IE, and "Mozilla" is just a company.

Firefox is the vehicle, but it's relaly IE's fault.

Quote:

"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm

Darknova · Jul 12, 2007, 04:13 PM

HAHAH, they BOTH are too blame. IE for having the security flaw...and Firefox for...oh yeah, having the security flaw.

GJSNeptune · Jul 12, 2007, 04:16 PM

Firefox's only involvement is being installed.

Darknova · Jul 12, 2007, 04:18 PM

Quote:

Originally Posted by GJSNeptune

Firefox's only involvement is being installed.

If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.

Telexen · Jul 12, 2007, 04:20 PM

Quote:

Originally Posted by Darknova

If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.

But if it's installed on Linux, where IE doesn't belong - then it has no problem

GJSNeptune · Jul 12, 2007, 04:22 PM

Quote:

Originally Posted by Darknova

If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.

It's a flaw because it takes advantage of IE when Firefox is installed. It has nothing to do with Firefox. It's entirely IE's shortcomings that makes this a risk.

Quote:

The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.

I'll quote this yet again:

Quote:

"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping ... characters when passing on the input to the command line," said Larholm.

Darknova · Jul 12, 2007, 04:51 PM

Quote:

"It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

It is not entirely IE's fault. I understand exactly how the risk came about, I understand how it is attacked, and I understand the under lying fault is with IE. However without FF there is no problem, as FF, in a sense, opening up the hole.

I still agree entirely that it is mostly IEs fault, but FF is not entirely blameless.

Dippyskoodlez · Jul 12, 2007, 04:56 PM

Quote:

Originally Posted by Darknova

It is not entirely IE's fault. I understand exactly how the risk came about, I understand how it is attacked, and I understand the under lying fault is with IE. However without FF there is no problem, as FF, in a sense, opening up the hole.

I still agree entirely that it is mostly IEs fault, but FF is not entirely blameless.

But... Can this be used if something other than firefox were to use the same method?

Its ie..

Benpi · Jul 12, 2007, 05:26 PM

If you're an anti-MS club member (or own a mac), then this is 100% IE's fault. If you're in the MS fanclub, it's FireFox's fault. If you really don't give a shart, it's both of their fault.

GJSNeptune · Jul 12, 2007, 05:34 PM

There is skewed logic working here. The flaw exploits a hole in IE, but it only works if Firefox is installed. Firefox has nothing to do with IE not escaping characters. If a patch comes out, it'd be for IE, not Firefox.

Dippyskoodlez · Jul 12, 2007, 05:46 PM

Quote:

Originally Posted by GJSNeptune

There is skewed logic working here. The flaw exploits a hole in IE, but it only works if Firefox is installed. Firefox has nothing to do with IE not escaping characters. If a patch comes out, it'd be for IE, not Firefox.

Exactly.

If you wanna scrape it up to fanboi-ism, GTFO.

The fix will be for IE.

HellasVagabond · Jul 12, 2007, 07:19 PM

Calm down people....

GJSNeptune · Jul 12, 2007, 07:21 PM

Calm as can be. Don't know why the mods have been exaggerating intensity.

HellasVagabond · Jul 12, 2007, 07:23 PM

Anyways everybodys goal is for this to get fixed so no point arguing about IE and Firefox.
Both are Outstanding Browsers.

GJSNeptune · Jul 12, 2007, 07:25 PM

Quick fix. Don't use IE.

HellasVagabond · Jul 12, 2007, 07:26 PM

I like it far more than Firefox.....And im sure many people do also.....However lately MS is releasing updates once a month so no problems there

demonbrawn · Jul 12, 2007, 08:22 PM

I personally like Firefox because of all the little free add-ons. Anyway, I don't think it really matters which program caused the issue as long as it gets fixed.

GJSNeptune · Jul 12, 2007, 08:27 PM

It matters when one is being falsely accused and criticized.

HellasVagabond · Jul 12, 2007, 09:13 PM

It takes both program faulty codes to create this mess GJSNeptune...Its not just 1 of those 2 thats bad.

Ketxxx · Jul 12, 2007, 09:25 PM

Quote:

Originally Posted by Darknova

If it wasn't installed there wouldn't be a problem....hence it has a security flaw. Maybe not some gaping hole like IE has, but still a flaw none the less.

The only flaw that was made was the creation of Internet Explorer.

WarEagleAU · Jul 12, 2007, 09:27 PM

Firefox is the bomb. Safe and secure, but now it seems folks are targetting it. I guess they are tired of everyone ragging IE

Dippyskoodlez · Jul 12, 2007, 09:31 PM

Quote:

Originally Posted by HellasVagabond

It takes both program faulty codes to create this mess GJSNeptune...Its not just 1 of those 2 thats bad.

It sounds like IE is not handling certain text correctly... enabling something to take advantage of an internal link ability of firefox... with this, simply patching IE would....... solve the problem, would it not?

HellasVagabond · Jul 12, 2007, 09:38 PM

We will see...If MS is the only one to release a patch yes, but if Mozilla releases an update too then no

Jul 12, 2007, 11:30 AM	#1
HellasVagabond Join Date: Jan 2007 Location: Athens , GREECE Posts: 2,695 (1.16/day) Thanks: 14 Thanked 168 Times in 140 Posts System Specs	Incompatibility Between Firefox and Internet Explorer Causes Security Hole If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur. The trouble begins when visiting a site with malicious content while using IE. The site then registers a "firefoxurl://" URI (uniform resource identifier) handler, that gives access to that site and allows it to interact with IE. The Security researcher named Thor Larholm who discovered the Security Hole and Symantec put much of the blame on IE, while Secunia's chief technology researcher named Thomas Kristensen, blamed FireFox for this Security Issue. Source : Zdnet

System Name:	SECONDARY RIG / PRIMARY RIG / THIRD RIG
Processor:	i920@3.6GHz / i920@4GHz / AMD Phenom II 955
Motherboard:	Gigabyte EX58-UD4P / Gigabyte EX58-UD7 / ASRock 890GX3
Cooling:	CoolIT Domino ALC / Thermalright Silver Arrow / Thermalright VenomousX
Memory:	12GB DDR3 @ 1800MHZ / 6GB DDR3 @ 2250MHZ / 4GB DDR3 @ 1600MHZ
Video Card:	XFX ATI RADEON 5970 / GAINWARD NVIDIA GTX 580 / 2xGEFORCE GTX295
Hard Disk:	1550GB / 6TB SAS - SSD / 160GB SSD
Optical Drive:	PLEXTOR 750A / PLEXTOR DVDRW 820A / NEC 7173S
CRT/LCD Model:	NEC 26WUXi2 / NEC 3090WQXi / SONY 55A2000 (1080P 55inch)
Case:	COOLER MASTER HAF 932 / COOLER MASTER ATCS 840 / ANTEC DARKFLEET DF85
Sound Card:	Soundblaster X-Fi Xtreme Music / SoundBlaster X-Fi Fatal1ty Pro / Realtek Onboard
PSU:	CWT 1200W / Enermax Revolution 85+ 1250W / Ikonik Vulcan 1200W
Software:	Windows 7 x64 / Windows 7 x64 / Windows 7 x64

Processor:	AMD Athlon 64 X2 5000+ Black Edition
Motherboard:	Gigabyte GA-MA770-DS3
Cooling:	Tuniq Tower 120 (with Scythe SFF21E)
Memory:	2x1GB Corsair XMS2 DDR2-800 CAS4 DHX
Video Card:	PALiT 9800GTX 512MB PCI-E
Hard Disk:	WD2500AAKS, WD1600YS, WD1200JD, WD400EB
Optical Drive:	Samsung S203b SATA DVD/RW
CRT/LCD Model:	LG L1920P, Viewsonic VA520
Case:	Lian-Li A05b (with two 120mm Yate Loon D12SM)
PSU:	Corsair HX520
Software:	Vista Business 32-bit/XP Pro 32-bit dual-boot

System Name:	Red Dragon \\ Asus X5DAB
Processor:	AMD Phenom II X3 720BE @ 3.5Ghz \\ Athlon X2 QL-64 @ 2.1Ghz
Motherboard:	Gigabyte GA-MA790X-UD3P \\ K50AB motherboard - RS780 chipset
Cooling:	Xigmatek H.D.T S1283 Red Scorpion \\ Laptop cooling
Memory:	4x2GB Crucial Ballistix Tracer Reds DDR2 1000Mhz \\ 3GB DDR2 667
Video Card:	XFX 5850 XXX \\ ATi mobility 4570 + ATi HD3200
Hard Disk:	2x 320GB Sammy F1 RAID 0, 2x 1TB Sammy F1, 750Gb Sammy F1 \\ 250GB
Optical Drive:	LG DVD-RW/RAM 20x \\ DVD-SM
CRT/LCD Model:	1x 24" Samsung Syncmaster 2433 1x Dell 20.1" E207WFP \\ 15.6" 1366x768
Case:	Thermaltake Elements S \\ K50 Chassis
Sound Card:	Asus Xonar D2X \\ VIA HD Audio
PSU:	PCP&C Silencer 750W \\
Software:	Windows 7 Ultimate x64 \\ Windows 7 Ultimate x64

Processor:	AMD Athlon 64 X2 5000+ Black Edition
Motherboard:	Gigabyte GA-MA770-DS3
Cooling:	Tuniq Tower 120 (with Scythe SFF21E)
Memory:	2x1GB Corsair XMS2 DDR2-800 CAS4 DHX
Video Card:	PALiT 9800GTX 512MB PCI-E
Hard Disk:	WD2500AAKS, WD1600YS, WD1200JD, WD400EB
Optical Drive:	Samsung S203b SATA DVD/RW
CRT/LCD Model:	LG L1920P, Viewsonic VA520
Case:	Lian-Li A05b (with two 120mm Yate Loon D12SM)
PSU:	Corsair HX520
Software:	Vista Business 32-bit/XP Pro 32-bit dual-boot

Jul 12, 2007, 12:13 PM	#2
cmberry20 Join Date: Aug 2004 Location: Worcester, England Posts: 140 (0.04/day) Thanks: 0 Thanked 2 Times in 2 Posts	"If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur." That quote in it self will apply to 99% of PC users as IE comes fully installed on all XP & Vista machines. So just installing Mozilla will causes this scenario to happen.

Jul 12, 2007, 04:13 PM	#4
Darknova Join Date: Nov 2006 Location: Manchester, United Kingdom Posts: 4,342 (1.82/day) Thanks: 113 Thanked 551 Times in 514 Posts System Specs	HAHAH, they BOTH are too blame. IE for having the security flaw...and Firefox for...oh yeah, having the security flaw.

Jul 12, 2007, 04:16 PM	#5
GJSNeptune Join Date: Apr 2007 Location: Ohio Posts: 1,743 (0.79/day) Thanks: 24 Thanked 112 Times in 103 Posts System Specs	Firefox's only involvement is being installed.

Processor:	Dual Opteron 265s (each with dual cores @ 2ghz)
Motherboard:	Asus K8N-DL
Cooling:	Watercooled with 2 x Swiftech Apogees + DD D5
Memory:	2x1gb Corsair ECC Registered PC3200 DDR
Video Card:	GeForce 7600gt
Hard Disk:	920gb total storage
Optical Drive:	NEC ND-4570A
CRT/LCD Model:	Samsung SyncMaster 205BW
Case:	Self painted double wide server case (Chenbro SR103)
Sound Card:	Sound Blaster Audigy 2 Value
PSU:	600W Silverstone Quad rail
Software:	Gentoo Linux amd64 (NO Windows!)

Processor:	Intel i5 2500k@ 5ghz
Motherboard:	Gigabyte UD3P
Cooling:	Water
Memory:	2x XMS3 4Gb, 2x Gskill 2Gb
Video Card:	2x Xfx Radeon 5850 1Gb
Hard Disk:	120gb Mushkin Chronos, 2x 2tb+3x1Tb
Optical Drive:	DVDRW
CRT/LCD Model:	24" Dell 1920x1080, 24" Acer
Case:	NZXT Stretch 810
PSU:	NZXT HALE90 850W
Software:	Windows 7 x64
Benchmarks:	2900Mhz 2500+ Barton mobile air cooled. 5Ghz 2500k Water cooled.

Jul 12, 2007, 05:26 PM	#11
Benpi Banned Join Date: Dec 2006 Posts: 415 (0.18/day) Thanks: 6 Thanked 3 Times in 3 Posts System Specs	If you're an anti-MS club member (or own a mac), then this is 100% IE's fault. If you're in the MS fanclub, it's FireFox's fault. If you really don't give a shart, it's both of their fault.

Processor:	AMD X2 4400+
Memory:	2G
Video Card:	7950 GX2
Hard Disk:	2x 74g 10000rpm Raid:0
CRT/LCD Model:	Dell 1920x1200 widescreen
Software:	3dmark06 score: 7650

Jul 12, 2007, 05:34 PM	#12
GJSNeptune Join Date: Apr 2007 Location: Ohio Posts: 1,743 (0.79/day) Thanks: 24 Thanked 112 Times in 103 Posts System Specs	There is skewed logic working here. The flaw exploits a hole in IE, but it only works if Firefox is installed. Firefox has nothing to do with IE not escaping characters. If a patch comes out, it'd be for IE, not Firefox.

Jul 12, 2007, 07:19 PM	#14
HellasVagabond Join Date: Jan 2007 Location: Athens , GREECE Posts: 2,695 (1.16/day) Thanks: 14 Thanked 168 Times in 140 Posts System Specs	Calm down people.... __________________ Guides For GPU Power Users (Sometimes its Good to pay tribute to some people instead of copy pasting their guides.)

Jul 12, 2007, 07:21 PM	#15
GJSNeptune Join Date: Apr 2007 Location: Ohio Posts: 1,743 (0.79/day) Thanks: 24 Thanked 112 Times in 103 Posts System Specs	Calm as can be. Don't know why the mods have been exaggerating intensity.

Jul 12, 2007, 07:23 PM	#16
HellasVagabond Join Date: Jan 2007 Location: Athens , GREECE Posts: 2,695 (1.16/day) Thanks: 14 Thanked 168 Times in 140 Posts System Specs	Anyways everybodys goal is for this to get fixed so no point arguing about IE and Firefox. Both are Outstanding Browsers. __________________ Guides For GPU Power Users (Sometimes its Good to pay tribute to some people instead of copy pasting their guides.)

Jul 12, 2007, 07:25 PM	#17
GJSNeptune Join Date: Apr 2007 Location: Ohio Posts: 1,743 (0.79/day) Thanks: 24 Thanked 112 Times in 103 Posts System Specs	Quick fix. Don't use IE.

Jul 12, 2007, 07:26 PM	#18
HellasVagabond Join Date: Jan 2007 Location: Athens , GREECE Posts: 2,695 (1.16/day) Thanks: 14 Thanked 168 Times in 140 Posts System Specs	I like it far more than Firefox.....And im sure many people do also.....However lately MS is releasing updates once a month so no problems there __________________ Guides For GPU Power Users (Sometimes its Good to pay tribute to some people instead of copy pasting their guides.)

Jul 12, 2007, 08:22 PM	#19
demonbrawn Join Date: May 2006 Location: Kentucky Posts: 812 (0.32/day) Thanks: 38 Thanked 14 Times in 13 Posts System Specs	I personally like Firefox because of all the little free add-ons. Anyway, I don't think it really matters which program caused the issue as long as it gets fixed. __________________ Light travels faster than sound. That's why some people look bright until they start talking.

System Name:	Sony Vaio - VGNFW390-CTO
Processor:	Intel® Core™ 2 Duo Processor T9550 (2.66GHz)
Cooling:	Stock
Memory:	4GB DDR2-SDRAM (DDR2-800, 2GBx2)
Video Card:	ATI Mobility Radeon™ HD 3650 with 512MB vRAM (pitiful card)
Hard Disk:	320GB SATA Hard Disk Drive [7200 rpm]
Optical Drive:	Blu-ray
CRT/LCD Model:	LCD 16.4" (XBRITE-FullHD™)
Sound Card:	SupremeFX
Software:	Windows 7

Jul 12, 2007, 08:27 PM	#20
GJSNeptune Join Date: Apr 2007 Location: Ohio Posts: 1,743 (0.79/day) Thanks: 24 Thanked 112 Times in 103 Posts System Specs	It matters when one is being falsely accused and criticized.

Jul 12, 2007, 09:13 PM	#21
HellasVagabond Join Date: Jan 2007 Location: Athens , GREECE Posts: 2,695 (1.16/day) Thanks: 14 Thanked 168 Times in 140 Posts System Specs	It takes both program faulty codes to create this mess GJSNeptune...Its not just 1 of those 2 thats bad. __________________ Guides For GPU Power Users (Sometimes its Good to pay tribute to some people instead of copy pasting their guides.)

System Name:	Prowler. V5.
Processor:	Q8400 @ 3.6GHz 450FSB (testing)
Motherboard:	P5Q Pro w\ my custom BIOS
Cooling:	CPU: CNPS 9500, VGA: VF900, RAM: XTC Cooler, Rest: 1x80mm LED, 2x 120mm LED, 1x 40mm LED, 1x 135mm
Memory:	2x2GB Transcend aXeRam PC2-8500
Video Card:	2x XFX HD4830 512MB
Hard Disk:	Maxtor DM10 NCQ, 16MB cache, SATA 250GB (WD Black 640GB ordered)
Optical Drive:	Pioneer 112DSV 18x dual DVD-RW, Lite-On 16x DVD combo
CRT/LCD Model:	22" LG Flatron W2242S
Case:	Unique
Sound Card:	Asus Xonar DX 7.1 PCI-E
PSU:	Hi-Power 800W Modular. 3.3 & 5v rails 30A, 4x 12v rails @ 20A each.
Software:	Windows 7 x64

Jul 12, 2007, 09:27 PM	#23
WarEagleAU Bird of Prey Join Date: Jul 2006 Location: Gurley, AL Posts: 9,994 (3.98/day) Thanks: 3,810 Thanked 557 Times in 521 Posts System Specs	Firefox is the bomb. Safe and secure, but now it seems folks are targetting it. I guess they are tired of everyone ragging IE __________________ =-TheEagle-= http://www.heatware.com/eval.php?id=62454 “You crazy? Surfing any website without an antivirus is like freaking with a dirty woman without protection” -OzzmanFloyd120 - Edited for content and clarity

System Name:	Boddha Getta
Processor:	AMD FX 6100 @ 4.432Ghz @1.401V
Motherboard:	ASUS M5A99X EVO AMD 990X AMD SB950
Cooling:	Custom Water. EK 240MM Kit, Supreme HSF - Runs 35C
Memory:	2 x 4GB Corsair Vengeance White LP @ 1.35V
Video Card:	XFX Radeon HD 6870 900/1050 (no OC yet)
Hard Disk:	WD Caviar Black 1.0TB, WD Caviar Green 1.0TB, WD 160GB
Optical Drive:	Samung SH22SL 22X Lightscribe DVD+/-R/RW LG BDRE Reader/Burner Lite ON Max Burner for burning Xbox
CRT/LCD Model:	Asus VH222/S 22: (21.5" Viewable) 1920x1080p HDMI LCD Monitor
Case:	NZXT White Phantom
Sound Card:	Onboard Realtek 5.1
PSU:	NZXT Hale 90 Gold Cert 750W Modular PSU
Software:	Windows 7 Pro 64 bit.
Benchmarks:	5.9 Windows Index rating 3D06 - 17472

Jul 12, 2007, 09:38 PM	#25
HellasVagabond Join Date: Jan 2007 Location: Athens , GREECE Posts: 2,695 (1.16/day) Thanks: 14 Thanked 168 Times in 140 Posts System Specs	We will see...If MS is the only one to release a patch yes, but if Mozilla releases an update too then no __________________ Guides For GPU Power Users (Sometimes its Good to pay tribute to some people instead of copy pasting their guides.)

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)