Thor Larholm, A security researcher has found a security bug that could be attacked in Internet Explorer. Mozilla said it plans to patch the problem in its next Firefox software update. No, that’s not a typo, just the strange fall-out from an unusual bug that had security researchers debating the question this week: “Who’s to blame? Microsoft or Mozilla?”
Thor Larholm kicked off the controversy yesterday, claiming that he had discovered a flaw that would let an attacker run commands on a victim’s PC.
In his blog posting, Thor Larholm said the bug was similar to a flaw he’d discovered last month in Apple’s Safari 3.0 beta software, and he called it an “input validation flaw in Internet Explorer”. The problem is with a URL protocol handler component of Internet Explorer, he said. This software allows Internet Explorer users to launch applications such as Excel or Firefox by clicking on specially written links on web pages.
When Internet Explorer clicks on a link that launches the Firefox browser, however, the software does not properly check its syntax, and that, Larholm said, lets an attacker create a malicious link, that could be used in an attack. Security vendor Secunia ApS rates the flaw as ‘highly critical’.
So while the flaw affects Internet Explorer users, it appears to be a risk only to those who already have Firefox installed. And to make matters more complicated, if a Firefox user were to click on one of the specially-written links, he would not be affected.
Read more at Larholm.com.