Welcome | Sign In
LinuxInsider.com
Security

Internet Explorer Linked to Firefox Security Hole

Print Version
E-Mail Article
Reprints
Internet Explorer Linked to Firefox Security Hole

By Chris Maxcer
LinuxInsider
07/11/07 2:00 PM PT

The latest browser war dustup pits Mozilla's Firefox against Microsoft's Internet Explorer, but this time the tiff isn't about market share. It appears that IE may undermine Firefox's security when a Net surfer clicks on malicious page links using the IE browser and Firefox also happens to be installed on the machine.


In an interesting twist on browser-based security issues, security researchers said they have found a flaw in which Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) can cause Mozilla's Firefox to execute remote malicious code.

Security firm Secunia released an advisory Tuesday, ranking the flaw as highly critical. The vulnerability is confirmed on Firefox 2.0.0.4 on a fully patched version of Windows XP SP2.

How It Works

Basically, the end user must use IE to navigate to a malicious Web page and click on a link. The problem only occurs when the user also has Firefox installed -- it does nothing if Firefox isn't installed.

The link, according to Mozilla, can cause IE to invoke another Windows program -- in this case, Firefox -- via the command line and pass that program the URL from the malicious Web page. This can cause data to be passed from the malicious Web page to the second Windows program, which could allow remote code execution in Firefox, the browser's maker notes on its Mozilla Security Blog.

It may be possible to use the same method in IE to invoke action with other Windows programs, but none have yet been reported.

No Immediate Fix

Mozilla and Microsoft don't have an immediate fix, but Mozilla said it will patch the problem on its end in the upcoming 2.0.0.5 release, which will prevent IE from sending Firefox malicious data. Of course, as Internet Explorer is a Microsoft program, Mozilla won't be able to fix the underlying Windows IE catalyst.

"It is important to note that if you are using Firefox to browse the Web, you are not vulnerable to this attack," Mozilla notes on its security blog, adding that the company hasn't seen any evidence of hackers actually exploiting this issue.

Browsing with Firefox solves this particular problem, but Secunia recommends a solution of simply not browsing untrusted sites with IE.

Opening the Door to Malicious Code

"The underlying issue is the number of Web sites that are hosting malicious code," Ronald O'Brien, a senior security analyst for Sophos, told LinuxInsider. "We know there are tens of thousands of Web sites that have been created that lack basic security aspects to them, and as such are readily hacked for the purpose of inserting malicous code onto them."

The likelihood that a computer can become infected sufficiently that it can be controlled remotely has increased dramatically, he noted. What O'Brien finds surprising -- and perhaps this is why there isn't a known exploit out and about in the wild yet -- is that simply getting a user to browse and click on a malicious link is usually enough to generate positive (malicious) results.

Print Version E-Mail Article Reprints More by Chris Maxcer

Talkback: Be the first to comment on this story.

More by Chris Maxcer

Sorry, You Just Can't Pin Down Apple Consumers
February 09, 2010
A recent study seems to suggest that Apple's big iPad reveal was a big disappointment and that the majority of consumers have no interest in the thing. But Apple has a knack for changing peoples' minds and shifting them into "buy" mode. For some consumers, anyway, it's a lot easier to say "no" now, when the product isn't even available, than it will be in a few months when iPads are actually on shelves. 		Taking the Good With the Bad in the New iPad
February 02, 2010
When Apple dives head-first into a new category, it usually likes to do so on its own terms, and the iPad launch was no exception. It looks like it has Apple's signature design and build quality, its OS is familiar to millions, and the asking price is a pleasant surprise. On the other hand, there also appear to be some unfortunate omissions in the iPad's design. 		Apple's Tablet Is Coming - Get Ready for Disappointment
January 26, 2010
The media have been huffing Apple tablet fumes for months, so get ready for a big hangover when Steve Jobs takes the stage Wednesday and announces the truth about what the company has been working on. When nothing's really known, anything is possible, and the idea of the tablet can be all things to all people. When the big reveal comes, some rumors and hopes will inevitably be shot down.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside LinuxInsider
E-Commerce Times
TechNewsWorld
MacNewsWorld
CRM Buyer
Today's LinuxInsider Sponsors
Secure Your Datacenter
Mitigate risk and maximize the benefits of virtualization. Get the free eBook today.
Data Deposit Box Online Storage
Sign up for a 2 week free trial and start earning recurring revenue today.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2010 ECT News Network, Inc. All Rights Reserved.