Firefox and IE Still Not Getting Along

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

Kinda cool

[d3ac0n]

Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat