Camera Phones Plaza

This week Mozilla released two new fixes for bugs that were affecting Firefox and IE7. With these vulnerabilities, Firefox browser passes risky information to third-party applications like Internet Explorer.
On 17 July 2007, was released version 2.0.0.5 of Firefox that came with new high and critical patches for vulnerabilities like unauthorizedaccess to wyciwyg:// documents, XSS using addEventListener and setTimeout, crashes with evidence of memory corruption (rv:1.8.1.5), privilege escalation using an event handler attached to an element not in the document, and Remote code execution by launching Firefox from Internet Explorer.
The latest version of Firefox, 2.0.0.6, was released on Monday, right before the BlackHat security conference of this week in Las Vegas. The new version brings two new bug fixes in order to prevent passing dangerous information to third-party applications.
The two fixes are MFSA 2007-27 and MFSA 2007-26.
The first one is a critical one preventing unescaped URIs to be passed to external programs. In other words, receiving programs can interpret by mistake a single URI as multiple arguments, a fact that in the earlier version 2.0.0.4 of Thunderbird and Firefox, could be used to run arbitrary code.
The second fix issued, MFSA 2007-26, is a moderate one in charge with preventing privilege escalation through chrome-loaded about:blank windows.
The Mozilla advisory displayed the fact that "A similar issue with URIs passed to external handlers was reported by Billy Rios and Nate McFeters" and "When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 do not launch the protocol handler registered for that scheme, but instead launch a file handling program based on the file extension at the end of the URI. Coupled with the issue reported by Jesper Johansson, this appears to allow execution of any program installed at a known location and limited argument passing that might be enough to exploit a system."
After Mozilla recognized a week ago that Firefox and IE were both culpable for this problem, security researcher Thor Larholm explained this input validation flaw in a blog saying that when Firefox is installed on the system, it registers a URL protocol handler and when IE encounters a reference to consent inside the FirefoxURL URL scheme, ShellExecute is called with the EXE image path and then the entire request URL is passed without input validation. The meaning of this words is that if someone that uses Internet Explorer is visiting a website that tries to call a Firefox URL, the Microsoft browser will launch Firefox without prompting, transferring the URL to it. This would lead to execution of malicious JavaScript code.