Mozilla and Opera suffer security scares

The Mozilla Foundation has issued patches for a flaw in its browsers that could allow an attacker to execute existing applications on a Windows XP machine. Researchers have also discovered a bug in Opera Software ASA's browser that could be exploited to make users falsely believe they are visiting a trusted website, such as a banking site.

The bugs in Mozilla and Opera, which together account for about five percent of browser users, follow on the heels of a string of Internet Explorer attacks that appear to be convincing many users to explore IE's alternatives.

After some security vendors suggested switching browsers as one form of protection from the latest bugs, Mozilla and Opera have experienced a huge jump in downloads, the vendors say. Security experts caution that non-IE browsers are subject to some of the same vulnerabilities as Microsoft's browser, but concede that the alternatives probably are safer.

The Mozilla flaw was publicized on public security mailing list Full Disclosure on Wednesday, along with a link to Mozilla's fix. The group released updated versions of the Mozilla Application Suite, Firefox and Thunderbird fixing the problem, and on Thursday released a small download that eliminates the bug by reconfiguring the affected software.

"We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users," Mozilla said in its advisory, which also contains instructions on patching affected systems.

The bug is caused by the way the way Windows XP implements the "shell:" URI handler and the fact that Mozilla doesn't restrict access to the handler. The flaw means that an attacker could invoke an existing application on Windows XP via the browser, though the attack would be limited by an inability to pass parameters along to the application, according to an advisory from security firm Secunia.

An additional level of threat comes from the fact that some applications contain flaws that could potentially be exploited to run malicious code on the target PC, Secunia said. Mozilla's fix disables the use of the "shell:" handler. The flaw's discovery is attributed to Joshua Perrymon and Andreas Sandblad. "The shell: URI handler is inherently insecure and should only be accessed from a few trusted sites -- or not from a browser at all," Secunia said. "Multiple exploits in Internet Explorer also utilize 'shell:' functionality."

The Opera bug, publicized by security firms on Thursday, could allow the browser to appear to be displaying a trusted site while actually displaying a malicious one, in order for example to trick a user out of his bank login information -- a type of exploit known as phishing.

The problem is that the browser displays the URL before actually loading a page. In a proof-of-concept exploit released on the Web, the user clicks on a link leading to a trusted site such as a bank, and the bank's URL is displayed -- but the browser is set in an endless loop that prevents it from actually loading the page. Meanwhile, in an invisible frame, the browser loads another page that could be a malicious duplicate of the bank's site.

Users can head off the problem by disabling JavaScript. In addition, researchers noted that users are safe if they enter the desired URL themselves, rather than following a link from another site.

The recent IE exploits were exceptionally serious because they were found in the wild, rather than just existing as proofs of concept, analysts say. However, alternative browsers aren't necessarily immune from such attacks. For example, one attack used Microsoft's powerful ActiveX scripting technology, which isn't supported by Opera or Mozilla. However, those browsers, along with Apple Computer Inc.'s Safari, will soon support a similarly powerful, cross-platform scripting technology, raising the question of how they will deal with any accompanying security concerns. Another attack involved IE's Browser Help Objects (BHOs) -- but other browsers have their own BHO equivalents, though these haven't been exploited.

Some features implemented on all browsers are now being reconsidered as security holes; BHOs are one. Another allows one Web page to load arbitrary content into a frame of another page; this could allow an attacker to, for example, substitute his own login window on a bank's website, according to a Secunia advisory issued last week. The feature is found in IE, Mozilla, Opera, Safari and Mozilla derivatives such as Konqueror, and has been around for six years.

"We believe that it is important that Microsoft and the other vendors seriously consider the minor gains from such 'functionality' against the possible consequences for their customers," said Secunia CTO Thomas Kristensen. "In our opinion, this is a vulnerability and should be treated as such, whether the vendors implemented this intentionally or not."

Some browser vendors agreed: Mozilla and Firefox were updated two weeks ago to remove the feature, and Microsoft said it is considering blocking the feature with the release of Windows XP Service Pack 2.

In the bigger picture, however, other browsers clearly have far fewer security issues than IE, according to security experts. A database collating advisories from various sources, has collected 54 vulnerability advisories for IE 6.x during 2003 and 2004, 42 percent of which were "highly critical " or "extremely critical", and 32 percent of which granted system access. Opera 7.x had 26 bugs, 17 percent of which were highly or extremely critical, and Mozilla 1.3 and later had a total of 12 advisories, none of which were more than moderately critical.

"While other browsers also have problems, it seems evident that vulnerabilities are a bit more frequent and serious in IE," said Secunia's Kristensen.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?