« previous next »
Pages: [1]

Topic: IE and Firefox combination attack  (Read 1568 times)

0 Members and 1 Guest are viewing this topic.

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
IE and Firefox combination attack
« on: July 10, 2007, 10:01:41 pm »
Link to full article

Quote
A proof of concept exploit found here uses IE to hand off maliciously-scripted code to a Firefox handler known as "firefoxurl." Handlers, which also include strings such as "ftp" and "aim," are found in the address bar and in many cases can be used to get Firefox to carry out certain actions.


Both sides are blaming the other.  Mozilla is working on a Firefox fix.

I think both should have fixes made.  IE should not pass "bad data" and Firefox shouldn't use it if it is given.
Logged
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline Commander Maxillius

  • You did NOT just shoot that green sh-t at me?!?
  • Lt. Commander
  • *
  • Posts: 2299
  • Gender: Female
Re: IE and Firefox combination attack
« Reply #1 on: July 11, 2007, 03:41:03 am »
meh, I use Safari and Opera.... on Macintosh :P
Logged
I was never here, you were never here, this conversation never took place, and you most certainly did not see me.

Offline Just plain old Punisher

  • Vice Admiral
  • *
  • Posts: 36927
  • Gender: Male
  • I'm not facist, I just like wearing jackboots
Re: IE and Firefox combination attack
« Reply #2 on: July 11, 2007, 03:50:02 pm »
Quote from: Commander Maxillius on July 11, 2007, 03:41:03 am
meh, I use Safari and Opera.... on Macintosh :P

Ha! I use nothing on my amiga!
Logged

"Sex is a lot like pizza.  If you're not careful you can blister your tongue". -Dracho

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: IE and Firefox combination attack
« Reply #3 on: July 21, 2007, 12:07:26 pm »
Mozilla patches their side of the issue.

2.0.0.5 patch for Firefox released to fix this issue (and others)

Quote
Fixed in Firefox 2.0.0.5
MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with e

2.0.0.5 patch for Thunderbird released as well since they share code.

Quote
MFSA 2007-23  Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-18 Crashes with evidence of memory corruption
Logged
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline jualdeaux

  • The Quiet One
  • Global Moderator
  • Commander
  • *
  • Posts: 2758
Re: IE and Firefox combination attack
« Reply #4 on: July 23, 2007, 01:52:08 pm »
I wonder how long it will take MS to come up with a fix on their end. Oh, wait... I forgot, it is never MS's fault.
Logged
Only in America .....do we use the word 'politics' to describe the process so well: 'Poli' in Latin meaning 'many' and 'tics' meaning 'bloodsucking creatures'.

Offline Just plain old Punisher

  • Vice Admiral
  • *
  • Posts: 36927
  • Gender: Male
  • I'm not facist, I just like wearing jackboots
Re: IE and Firefox combination attack
« Reply #5 on: July 23, 2007, 03:29:20 pm »
Quote from: jualdeaux on July 23, 2007, 01:52:08 pm
I wonder how long it will take MS to come up with a fix on their end. Oh, wait... I forgot, it is never MS's fault.

I imagine it would be the people who found and exploited the exploits fault.

It isn't my fault I robbed your house. Afterall, you didn't surround it with barb wire, alligator filled moats, and anti-personel minefields.
Logged

"Sex is a lot like pizza.  If you're not careful you can blister your tongue". -Dracho
Pages: [1]
« previous next »