The bug, classified as “moderate” by Mozilla, takes advantage of the way in which the technology for managing the URI (Uniform Resource Identifier) protocol is used to run programs (for example an email client) from the browser itself. Over the past few months, security researchers have discovered an increase in the number of ways such technology can be used maliciously, often as a way to install unauthorized software on a victim’s computer.
The URI patch is one of eight security fixes incorporated into Mozilla for the 188.8.131.52 update, released late last week.
Mozilla developers originally thought such a problem occurred in Microsoft’s Internet Explorer software, which could be maliciously invoked from FireFox. However, several days after releasing their first patch, they realized that the issue was also affecting Firefox, so they released the 184.108.40.206 update.
Now, three months after that patch, they have patched another bug related to the handling of URIs in Firefox. The 220.127.116.11 update “did not prevent the execution of programs from the browser”, as indicated by Mozilla. “An additional fix has been applied in Firefox 18.104.22.168 that allows detecting when Windows incorrectly interprets these URIs so that the wrong program cannot be executed.”
Mozilla developers do not know exactly if this new path of the problem related to URI management can really be exploited in Firefox, but they have decided to publish this patch to make sure against such a possibility, as indicated by Window Snyder, head of security of Mozilla.
Microsoft has indicated that it plans to patch the underlying components in the Windows operating system in an effort to prevent attacks based on the management protocol with URIs.
Version 22.214.171.124 also adds support for Apple’s Mac OS X 10.5 operating system, codenamed Leopard, although Mozilla indicates that “there are some known issues related to some plug-ins” on this platform.