Lately it seems that nearly every week has seen the revelation of a new Internet Explorer vulnerability, and even the Department of Homeland Security is recommending that people switch to an alternative browser. That’s something I’ve long been promoting, for reasons of security, functionality and standards support, so it’s good to see others coming to the same conclusion.
Whilst I believe major open source projects like Mozilla do have security advantages over closed source equivalents, it’s important to remember that they are not immune to vulnerabilities and security exploits. Witness the revelation of an exploit for the Windows versions of Mozilla and Firefox which may allow attackers to run arbitrary code.
Interestingly enough, the vulnerability simply passes the unknown (to the browser) shell: scheme on to Windows which can be tricked in to running a vulnerable program (if the hackers knows the filesystem location). Microsoft apparently doesn’t like the shell: scheme much either - it has been removed in XP SP2 and this exploit won’t work.
The reports indicate that links in a Web page using the “shell:” scheme can execute arbitrary programs on the user’s system. The attacker would have to know the location in the file system of the program, but there are known programs in Windows with buffer overflows.
http://www.eweek.com/article2/0,1759,1621463,00.asp.
An update for both browsers is already available from the Mozilla site.
This entry was posted on Friday, July 9th, 2004 at 14:29 and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.