A new zero-day vulnerability exists when both Firefox 2.x and Internet Explorer are installed on the same machine. The exploit is most likely to be available on PCs with Firefox 2.0.0.2 installed due to changes made for Microsoft Vista compatibility.
The general consensus of the comments are that both applications contribute the the exploit. Firefox is the attack vector and fails to validate the malicious code but Microsoft contributes by not properly passing quotes to the command line. You need to visit a malicious website using IE in order to trigger the exploit.
In a response to a user comment Thor Larholm responded:
… Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely.
What I find interesting is the complexity of the requirements leading to the exploit. Neither product is vulnerable alone since both must be installed and both products have a flaw that contributes to the vulnerability.
Vulnerability Pits Firefox Against IE
The general consensus of the comments are that both applications contribute the the exploit. Firefox is the attack vector and fails to validate the malicious code but Microsoft contributes by not properly passing quotes to the command line. You need to visit a malicious website using IE in order to trigger the exploit.
In a response to a user comment Thor Larholm responded:
What I find interesting is the complexity of the requirements leading to the exploit. Neither product is vulnerable alone since both must be installed and both products have a flaw that contributes to the vulnerability.
Related Posts: