Hot on the heels of Monday's disclosure of spoofing vulnerabilities in most non-Internet Explorer browsers, a security researcher Tuesday unveiled another trio of bugs in Firefox and its Mozilla cousin.
The flaws, all of which involve some user action, can be used by hackers to drop code onto a PC, muck with the about:config element of the browser, or steal cookies that, for instance, provide instant access to protected Web sites.
"If you create a hybrid of a .gif image and a batch file you can trick Firefox," claimed the German researcher identified only as "mikx" by Danish security firm Secunia, in his original warning of one of the bugs.
"Since the hybrid renders as a valid image, Firefox tries to copy the image to the desktop when dropped. By creating the image dynamically and forcing the content type image/gif, the file can be of any extension (e.g. image.bat or image.exe). Since Windows hides known file extensions by default, a user can only tell that something went wrong by looking at the file icon, which is different of course. If the user does not care or know what this different icon means, a double click to view or edit the "image" he just dropped executes the batch file instead."
The vulnerabilities have been confirmed in Firefox 1.0 and Mozilla 1.7.5, the most current editions of the open-source browser and browser suite, respectively.
While Mozilla Foundation developers have implemented fixes, they haven't been rolled into a patch or a new version that can be downloaded and used without recompiling the code.
Is it remotely consistent with the principles of business "dirty pool" that those with something to gain by the failure of Firefox, Linux, etc. are related to this?
E.g. could some hackers be receiving payment to try to disrupt the more popular open-source desktop apps?
[Full Disclosure : Fortran and vi forever! ]