This is a pretty bad one with apparently no fix. I checked all the URL's I don't see any workaround where they mentioned: "Added workaround to the 'Solution' section." -Clint
TITLE: Firefox "firefoxurl" URI Handler Registration Vulnerability SECUNIA ADVISORY ID: SA25984 VERIFY ADVISORY: http://secunia.com/advisories/25984/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote REVISION: 1.1 originally posted 2007-07-10 SOFTWARE: Mozilla Firefox 2.0.x http://secunia.com/product/12434/ DESCRIPTION: A vulnerability has been discovered in Firefox, which can be exploited by malicious people to compromise a user's system. The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer. The vulnerability is confirmed in Firefox version 2.0.0.4 on a fully patched Windows XP SP2. Other versions may also be affected. SOLUTION: Do not browse untrusted sites. Disable the "Firefox URL" URI handler. CHANGELOG: 2007-07-10: Added workaround to the "Solution" section. ORIGINAL ADVISORY: http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html http://larholm.com/2007/07/10/internet-explorer-0day-exploit/ ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
