Two new vulnerabilities found in Firefox

31st July 2007

Some time ago, hardly half a month has passed between releasing Firefox versions 1.0.0.5 and 1.0.0.6 because of the new critical vulnerability discovered. This time, after releasing version 2.0.0.5 it seems that we do not have to wait either. About a week ago a new vulnerability was publicly revealed allowing to launch any programs on a victim`s PC. This error was found in processing URL component. The same component is the source of another vulnerability, discovered the same day by Mozilla. The second vulnerability also allows launching any program on the remote computer. However, the experts are not especially concerned with the discovered vulnerabilities, and feel that they do not represent a critical risk. The head of Mozilla Security Department Window Snyder reported the beginning of testing the vulnerabilities and eliminating them.
Processing URL is a headache for Mozilla, and not for the first time. Earlier this component had led to disputes between Mozilla and Microsoft. It is worth while noticing that the so-called “pair” vulnerability has been discovered recently, working only when IE 7 and Firefox 2 are installed on one PC. The mal code was launched via IE and used in Firefox. Microsoft still refuses to admit their browser`s errors and to release a patch for it.