Slashdot Mirror
Firefox and IE Still Not Getting Along
juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"
Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).
HTTP/1.1 400