Mozilla admits Firefox is flawed just like IE

Mozilla's chief security officer acknowledged that Firefox has a "critical vulnerability"

In a public mea culpa, Mozilla's chief security officer acknowledged Monday that Firefox includes the same flaw that the company called a "critical vulnerability" in Internet Explorer during a two-week ruckus over responsibility for a Windows zero-day bug.

"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point," said Window Snyder of Mozilla. "While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.

"We thought this was just a problem with IE," Snyder continued. "It turns out, it is a problem with Firefox as well."

The argument over responsibility for a flaw that involved both IE and Firefox began two weeks ago, when Danish researcher Thor Larholm argued that IE contained an input validation bug that passes potentially malicious URLs to other applications. Larholm called out Firefox's "firefoxurl://" protocol as one that IE mishandled. He staked out the position that IE was to blame, while other security experts said it was Firefox's fault.

As fingers pointed, Mozilla patched the IE-Firefox interaction bug by releasing an update, Version 2.0.0.5. Even so, Snyder and others continued to argue that IE was the problem. "Microsoft needs to patch Internet Explorer," Snyder said last Wednesday. That same day, Asa Dotzler, director of community development, contrasted what he said were the differences between Microsoft and Mozilla on the bug. "We think it's Firefox's job to ensure that users are protected from malicious Web sites when they're surfing the Web in Firefox. Apparently, Microsoft doesn't think the same for IE," Dotzler said then.

Friday, Jesper Johansson, a former Microsoft security strategist but now a security program manager at Amazon.com, spelled out how Firefox was as guilty as IE of failing to validate input. In a post that leaned on the metaphor of "glass houses," Johansson showed how Firefox passes potentially malicious URLs to other applications, including the multiple-service instant messaging client Trillian. "Firefox is subject to the exact same flaw that they blame on IE. Firefox also does not escape quotes in URLs before it passes them on to protocol handlers," he said.

Snyder did not credit Johansson by name for alerting Mozilla to the Firefox bug, but she admitted that the flaw should have been spotted. "We should have caught this scenario when we fixed the related problem in 2.0.0.5," she said.

She did not specify when a patch would be issued, but one is in the works, according to an entry in Bugzilla.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?