We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

IE versus Firefox in security blame game

Who's to blame for browser bug? IE or Firefox?

A security researcher has found a security bug that could be attacked in Internet Explorer. Mozilla said it plans to patch the problem in its next Firefox software update.

No, that's not a typo, just the strange fall-out from an unusual bug that had security researchers debating the question this week: "Who's to blame? Microsoft or Mozilla?"

Security researcher Thor Larholm [cq] kicked off the controversy yesterday, claiming that he had discovered a flaw that would let an attacker run commands on a victim's PC.

In his blog posting, Larholm said the bug was similar to a flaw he'd discovered last month in Apple's Safari 3.0 beta software, and he called it an "input validation flaw in Internet Explorer”. The problem is with a URL protocol handler component of Internet Explorer, he said. This software allows Internet Explorer users to launch applications such as Excel or Firefox by clicking on specially written links on web pages.

When Internet Explorer clicks on a link that launches the Firefox browser, however, the software does not properly check its syntax, and that, Larholm said, lets an attacker create a malicious link, that could be used in an attack. Security vendor Secunia ApS rates the flaw as 'highly critical'.

So while the flaw affects Internet Explorer users, it appears to be a risk only to those who already have Firefox installed. And to make matters more complicated, if a Firefox user were to click on one of the specially-written links, he would not be affected.

Still, Microsoft security program manager Mark Griesi said that the bug was not his company's problem. "We don't feel that there's an issue in IE and therefore there's nothing to be fixed," he said.

With Microsoft saying it won't fix the vulnerability, Mozilla said it would change the way its Firefox URL protocol handler worked in its next Firefox update. That will fix Larholm's bug, but Mozilla security strategist Window Snyder [cq] wouldn't say whether or not she considered the vulnerability to be an IE or Firefox problem. She did, however, point out that without Microsoft making changes to IE, other Windows programs may be at risk.

Noted browser bug-hunter Aviv Raff wrote in his blog that he thought both Microsoft and Mozilla were to blame.

But another security expert said that the responsibility to fix the problem lies with the open-source browser developers. "This is an oversight in how Mozilla decided to construct their protocol registration, and how they do input validation between this handler and their application," said Eric Schultze, chief security architect with Shavlik Technologies LLC. "I think Mozilla needs to write and release a patch for this issue and Microsoft can take the week off."

See also:

Browser face-off: Firefox versus Internet Explorer

Firefox 3.0 beta delayed until September


IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...