Arbitrary Code-Execution Vulnerability in Mozilla
Arbitrary Code-Execution Vulnerability in Mozilla
Keith McCanless discovered a vulnerability in Windows-based versionsof Mozilla products that involves the use of the shell: scheme Uniform
Resource Identifiers (URIs), which are passed to the OS for handling.
The effects of the vulnerability depend on the version of Windows, but
on Windows XP it’s possible to launch executables in known locations
or the default handlers for file extensions. An attacker could combine
this effect with a known buffer overrun in any of the affected Mozilla
programs to create a remote execution exploit. The Mozilla Foundation
has released the security bulletin “What Mozilla users should know
about the shell: protocol security issue,” which addresses this
vulnerability, and recommends that affected users immediately apply
the appropriate patch listed in the bulletin or upgrade to the latest
software release. http://secadministrator.com/articles/index.cfm?articleid=43263