Wednesday, July 11, 2007 8:45 AM
cmosby
New Threat Pits Internet Explorer Against Firefox - Security Fix
New Threat Pits Internet Explorer Against Firefox
Blueprints have been posted online detailing a cross-browser security threat that uses Microsoft's Internet Explorer Web browser to force Mozilla's Firefox browser to provide inroads for virus writers. While fans of both software makers are pointing the finger of blame at one another, one thing seems virtually certain: It may only be a matter of time before criminals begin exploiting the confusion to compromise home and business computers running the Windows operating system.
Software vulnerability research firm Secunia's advisory states that the problem stems from a flaw in Firefox that allows IE to forcibly launch Firefox and carry out instructions, such as downloading software or altering critical Windows system settings. Meanwhile, security researcher Thor Larholm, who discovered a similar bug in Apple's beta version of its Safari browser for Windows, said the problem is that IE doesn't properly filter out such requests when a user clicks on a specially crafted link.
Oliver Friedrichs, director of emerging technologies for Symantec Security Response, believes both software vendors are to blame for the current situation.
"Here we have a case of two very complex applications that simply don't play nice together, and when you put them both on the same machine it becomes a security problem that nobody foresaw," Friedrichs said. "This goes to the heart of how complex it is to build secure software that works well together."
According to ZDNet's Ryan Narine, Microsoft said it "has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."
Meanwhile, Mozilla appears to be readying an update that should fix the problem from their end. Window Snyder, Mozilla's head of security strategy, said the company is working on an update to address the problem, but that there was no ETA on when that fix might be available.
One important point: If a Web site exploiting this dynamic appears in the wild, it should only be a threat to people who use IE to cruise the 'Net, and should not be a problem for people who browse exclusively with Firefox.
With any luck, Mozilla will push out an update quickly. Friedrichs isn't alone in warning that this shared vulnerability may soon be folded into existing automated attack tools that bad guys use to seed malicious (and even compromised legitimate Web sites) with instructions that seek to exploit known browser flaws.
"I think this is a pretty serious problem that can have widespread implications now that a proof-of-concept exploit is freely available," Friedrichs said. "It's really a matter of days before see these exploits are incorporated into those toolkits. After all, this isn't a terribly difficult vulnerability to exploit."
By Brian Krebs | July 11, 2007; 9:01 AM ET | Category: Latest Warnings