Mozilla Admits Firefox Exploit Caused by Firefox Bug, Not IE
The problem was first discovered by security engineer Thor Larholm, who gained recognition last month for having discovered a security hole in Apple's Safari for Windows pre-release two hours after having first obtained it. This time, Larholm reported his discovery as an "Internet Explorer 0day Exploit," by virtue of the fact that IE was the attack vector he originally discovered.
Later that day, information security expert Jesper Johansson wrote that although he could not get Larholm's exploit to behave exactly as he described, he could eliminate any possibility of the exploit altogether simply by unregistering Mozilla's own handlers from the command line. The direct implication there was that Firefox was not vulnerable because Firefox was responsible.
Meanwhile, Mozilla's security blog repeated a Microsoft spokesperson's comment that it would not be issuing a patch for the exploit.
On July 18, Mozilla released Firefox 220.127.116.11, ostensibly to manage the problem of Firefox receiving maliciously crafted URIs from IE. On her security blog that day, Mozilla's Snyder commented, "This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to."
"Following Mozilla's, and Thor Larholm's logic," Johansson wrote, "Firefox is subject to the exact same flaw that they blame on IE! Firefox also does not escape quotes in URLs before it passes them on to protocol handlers. I won't speculate here on why they failed to fix that 'flaw' in the new version of Firefox that was just released."
This morning, Snyder was forced to concede the point. "We thought this was just a problem with IE," she wrote. "It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 18.104.22.168. We believe that defense in depth is the best way to protect people, so we're investigating it now."