Mozilla Corp. will patch Firefox against a nine-month-old protocol handler bug, its chief security executive announced Friday, after researchers demonstrated that the vulnerability was more serious than first thought.
The bug is another Uniform Resource Identifier (URI) protocol handler flaw, and the news of an impending fix comes on the heels of Microsoft patching Windows to repair problems in the handlers it registers. Protocol handlers — “mailto:” is among the most familiar — let browsers launch other programs such as an e-mail client through commands embedded in a URL.
But Firefox’s jar: protocol handler (the “.jar” extension stands for Java ARchive, a ZIP-style compression format) does not check that the files it calls are really in that format. Attackers can exploit the flaw by uploading any content — malicious code, for example, or a malformed Office document — to a Web site, then entice users to that site and its content with a link that includes the jar: protocol. Because the content executes in the security context of the hosting site, if that site (eg., a commercial photo sharing service) is trusted, then the malicious code runs as trusted within the browser too.
Firefox, Protocol, Exploit, Vulnerability, Mozilla, Browser, Patch