Extremely Critical Flaw Found in FireFox

Secunia.org ^ | 2005-09-20 | Secunia.org

[Bush2000]

Extremely Critical Flaw Found in FireFox

Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).

This vulnerability can only be exploited on Unix / Linux based environments.

The vulnerability has been confirmed in version 1.0.6 on Fedora Core 4 and Red Hat Enterprise Linux 4. Other versions and platforms may also be affected.

[Mount Athos]

This problem is unix only and fixed already in 1.07 which is available right now.

[ecurbh]

Previous thread on this: http://www.freerepublic.com/focus/f-news/1488895/posts

"The flaw can only be exploited on Unix or Linux based environments and can be fixed by upgrading to Firefox 1.0.7."

[flashbunny]

Timely, with 1.0.7 already released. A little late to the party, no?

And meanwhile, Microsoft still includes ActiveX in IE.

Which was the worst decision: ActiveX, or MS Bob?

I'd have to go with ActiveX. While both Bob and ActiveX were answers to questions no one asked, ActiveX has caused much more harm.

[Syntyr]

OHHH NOOOO...
First Katrina, then Rita NOW THIS!

Were DOOMED I tell you!

[Lekker 1]

LOL...not only a CRITICAL flaw, but an "EXTREMELY" CRITICAL flaw!

[ShadowAce]

[putupjob]

I'm running FireFox and it doesn't seem all that scary to me.

[Bush2000]

Timely, with 1.0.7 already released. A little late to the party, no?

Oh, right. You're one of those guys who think that releasing a patch is equivalent to patching all vulnerable machines...

It's only going to get harder for you guys. FireFox ain't any more secure than IE or Safari or whatever ...

[MikefromOhio]

just ignore Bush2000...

he can't get over the fact that although LINUX is for commies (allegedly), Microsuck is doing business with the Chicoms.....

[stinkerpot65]

From the Microsoft/Symantec publicity department.

[Bush2000]

Get this through your thick skull: I've continually condemned MS for dealing with the ChiComs.

[MikefromOhio]

LOL

righto...

anytime now your boy GoldenDoDo will start his crap as well....

[flashbunny]

"FireFox ain't any more secure than IE or Safari or whatever "

Yeah, because I hear firefox plans on adding Active X support soon.

[savedbygrace]

http://images.fedex.com/us/about/advertising/tvads/drama1.mov

[savedbygrace]

EXTREMELY CRITICAL more accurately describes the security firms that breathlessly report how Mozilla products are so much worse than IE.

[Bush2000]

anytime now your boy GoldenDoDo will start his crap as well....

He ain't "my boy", lamer.

[postaldave]

this just in......

Opera Web Browser will now launch a browsers riddled with viruses and security flaws so they can make it on the tech news pages too........

[steve86]

Patched it YESTERDAY.

[Bush2000]

Yeah, because I hear firefox plans on adding Active X support soon.

No need. They have equally insecure "plug-in" support already. Just subsitute "plug-in" for "Active X", and perhaps this will dawn on you.