E-Commerce News: Security: Internet Explorer Linked to Firefox Security Hole

Internet Explorer Linked to Firefox Security Hole

By Chris Maxcer
LinuxInsider
Part of the ECT News Network
07/11/07 2:00 PM PT

The latest browser war dustup pits Mozilla's Firefox against Microsoft's Internet Explorer, but this time the tiff isn't about market share. It appears that IE may undermine Firefox's security when a Net surfer clicks on malicious page links using the IE browser and Firefox also happens to be installed on the machine.

Tips to Integrate Social Media into Your Day-to-Day Media Monitoring
Is social media part of your PR and marketing strategy? This white paper is filled with tips on how to listen to conversations about your brand in the media (social media, print, TV and internet) using the latest tools and techniques. Download Now.

In an interesting twist on browser-based security issues, security researchers said they have found a flaw in which Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) can cause Mozilla's Firefox to execute remote malicious code.

Security firm Secunia released an advisory Tuesday, ranking the flaw as highly critical. The vulnerability is confirmed on Firefox 2.0.0.4 on a fully patched version of Windows XP SP2.

How It Works

Basically, the end user must use IE to navigate to a malicious Web page and click on a link. The problem only occurs when the user also has Firefox installed -- it does nothing if Firefox isn't installed.

The link, according to Mozilla, can cause IE to invoke another Windows program -- in this case, Firefox -- via the command line and pass that program the URL from the malicious Web page. This can cause data to be passed from the malicious Web page to the second Windows program, which could allow remote code execution in Firefox, the browser's maker notes on its Mozilla Security Blog.

It may be possible to use the same method in IE to invoke action with other Windows programs, but none have yet been reported.

No Immediate Fix

Mozilla and Microsoft don't have an immediate fix, but Mozilla said it will patch the problem on its end in the upcoming 2.0.0.5 release, which will prevent IE from sending Firefox malicious data. Of course, as Internet Explorer is a Microsoft program, Mozilla won't be able to fix the underlying Windows IE catalyst.

"It is important to note that if you are using Firefox to browse the Web, you are not vulnerable to this attack," Mozilla notes on its security blog, adding that the company hasn't seen any evidence of hackers actually exploiting this issue.

Browsing with Firefox solves this particular problem, but Secunia recommends a solution of simply not browsing untrusted sites with IE.

Opening the Door to Malicious Code

"The underlying issue is the number of Web sites that are hosting malicious code," Ronald O'Brien, a senior security analyst for Sophos, told LinuxInsider. "We know there are tens of thousands of Web sites that have been created that lack basic security aspects to them, and as such are readily hacked for the purpose of inserting malicous code onto them."

The likelihood that a computer can become infected sufficiently that it can be controlled remotely has increased dramatically, he noted. What O'Brien finds surprising -- and perhaps this is why there isn't a known exploit out and about in the wild yet -- is that simply getting a user to browse and click on a malicious link is usually enough to generate positive (malicious) results.

Next Article in Security

IM at Work, Part 2: Tools for Locking Down
July 06, 2007

Applications such as IM, Skype, and Web conferencing can deliver significant business value to business users. However, they can also introduce three main kinds of business risks: inbound threats, outbound leakage and regulatory and e-discovery non-compliance. The challenge is that many organizations have a mix of both public IM usage and enterprise IM usage.

More by Chris Maxcer

Let's Give the iPhone Hackers a Big Round of Applause
November 06, 2009

It's safe to say most Apple customers are satisfied living in the walled-off ecosystem that the company has created for products like the iPhone. Still, it's good to know that it is possible -- and relatively easy, even -- to bust through those walls if one should ever want to. The work of iPhone hackers is appreciated even by those who've never felt the jailbreak itch.

What the iPhone Needs to Keep the Android Hordes at Bay
October 30, 2009

The Android platform is growing fast, and Verizon is readying what may be the best Android phone yet. Consumers are getting more Android options on more networks. Meanwhile, Apple is sticking to a consistent device design on a single network. The iPhone doesn't need to branch off into multiple sizes and styles to be the dominant platform, but its single-U.S.-carrier situation is another story.

Apple Is Saving the Best for Last
October 23, 2009

Sifting through the language used in Apple's quarterly results conference calls can sometimes yield clues to the highly secretive company's next moves. Apple's latest phone chat with analysts included a few comments about December shipping costs and a mystery "product." Here's why we might see an Apple tablet before the new year.

[Search More...]

Microsoft	Activate Alert \| Search Archives

Mozilla Foundation	Activate Alert \| Search Archives

Secunia	Activate Alert \| Search Archives

Sophos	Activate Alert \| Search Archives