Security researchers have been feverishly blogging about a new cross-browser vulnerability that involves using IE to launch Firefox, which then executes arbitrary JavaScript in the foxy open-source software.
The exploit starts by directing a user to click a link in IE that uses the "firefoxurl:" URI. As one might expect, this URI allows a page to launch a new page in... Firefox! Thor Larholm, discoverer of the flaw, writes: "it is possible to specify arbitrary arguments to the “firefox.exe” process. This is where the “-chrome” command line argument comes in handy, as it allows us to specify arbitrary Javascript code which is then executed within the privileges of trusted Chrome content.".
Yummy - quite nasty really, provided you have use IE but have FF2 installed too. For those of you who like to pretend to root yourselves, there's a list of demos of the exploit.
Perhaps more interesting than the flaw itself, is the fact that researchers and blogging security folks can't agree on which browser is really at fault. IE allows the dodgy request to be sent, but Firefox accepts it.
Mozilla's said it'll patch the vulnerability so that IE doesn't go messing it around any more, also slipping in a recommendation to run Firefox all the time. Microsoft reckons IE's off the hook, suggesting that the problem doesn't lie with Microsoft. And perhaps that's true.
It all boils down to whether IE can know that its sending bad data to Firefox. IE needn't know what kinds of input Firefox should accept, so all it can do is ensure the URI is valid in the broader sense. Does it do that? We'll let the security researchers figure that one out.
