One “critical” and one “moderate” vulnerabilities are patched in this update. The critical update is “Unescaped URIs passed to external programs” which is similar to the vulnerability that was found when IE 7 passed a malformed URI to Firefox.

The moderate vulnerability is “Privilege escalation through chrome-loaded about:blank windows”. This was dependant on add-ons creating about:blank windows.

Two other vulnerabilities were rated as “critical” by the Firefox team. A critical rating means:

Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Two vulnerabilities were rated as “high” which means:

Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.

The remaining three vulnerabilities where rated as moderate (1) or low(2).

The update will be installed through Firefox’s auto-update feature. You can force an update check by going to the Help on the menu and selecting “Check for Updates…”. You can also download the full version from the website and run the installation over your current installation. The update is for all languages on all operating systems.

The general consensus of the comments are that both applications contribute the the exploit. Firefox is the attack vector and fails to validate the malicious code but Microsoft contributes by not properly passing quotes to the command line. You need to visit a malicious website using IE in order to trigger the exploit.

In a response to a user comment Thor Larholm responded:

… Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely.

What I find interesting is the complexity of the requirements leading to the exploit. Neither product is vulnerable alone since both must be installed and both products have a flaw that contributes to the vulnerability.

Enhancements include “enchancements and fixes for Windows Vista” and support for two new languages – Afrikaans (af) and Belarusian (be).

Beginning with version 2.0.0.3 there was a problem with the Java Console which is documented by Mozilla, this also exists with this update.

The Sun JRE installs a Java console extension in the program directory, which is not visible in Tools -> Add-ons. JRE 6 is not compatible with Firefox 2.0.0.3 due to the manifest file setting the maximum version number to 2.0.0.0. This causes a message about the Java console being disabled when you upgrade to Firefox 2.0.0.3. If you change that number to 2.0.0.* configure the Java control panel to show the Java console and run a Java applet, sometimes the console will work, other times it will hang Firefox (so it seems to be more than just a version check problem)

You’ll probably receive a warning that this add-on isn’t compatible when you install this update. If you need the java console refer to the FAQ for alternatives.

The update is available through Firefox’s built-in update function or you can download it from Mozilla.

Firefox 1.5 was also updated to Firefox 1.5.0.12 and includes similar updates. Mozilla has stated they intend this to be the last update to the 1.5 branch of their product.