Mozilla upgraded Firefox this week to plug a flaw that could allow an attacker to bypass security and open URIs using the Firefox command line interface.
The protocol handling errors were discovered by security researcher Billy Rios. Mozilla released Firefox 3.0.1 and Firefox 2.0.0.16.
Rios said an attacker can pass the URI from a remote webpage to FireFox.exe.
Mozilla said URIs pose a danger by allowing an attacker to read data or place a malicious file on the victim’s hard drive.
“This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack,” Mozilla said in its advisory.
Rios also discovered a flaw in the Opera browser, which has been fixed In both cases, Rios said the browser security teams worked quickly and took the threats seriously.
