First Firefox 3 patch fixes a security hole linked to Safari
12:35 pm EDT July 16, 2008 - BetaNews has confirmed users' reports of Firefox 3.0.1 download attempts being met with "550 Permission Denied" errors, off and on throughout the day today. We've already downloaded and installed v3.0.1 ourselves previously, and thus far have noted no trouble with it.
In another sign that the good guys are not only becoming more clever but are cooperating more closely with vendors, a potentially serious problem with the newest Firefox was fixed before anyone could sound the alarms of impending doom.
Last month, an independent security researcher named Nitesh Dhanjani made news in Brian Krebs' security column in the Washington Post, for having advised Apple of a serious security hole he discovered in Safari for Windows, and how Apple responded with relative indifference. That news helped Apple to change its tune, and issue a security fix for the Windows-based Safari that plugs what Dhanjani referred to as a "carpet bomb" attack.
It's an aptly named exploit, emerging from the fact that Safari didn't inform users in advance when a script triggered it to download files, including to the desktop. As screenshots sent to Krebs at the Post indicate, the exploit results in a desktop chock full of unwanted files.
So what has this to do with Mozilla Firefox? As it turns out, another well-known security researcher named Billy "BK" Rios took Dhanjani's exploit one step further. Specifically, he discovered that if an unpatched Safari and any version of Firefox were installed on the same system, Safari could be triggered to download files that are, in fact, XUL scripts executable by Firefox. If Safari could place the downloaded file in a fixed or guessable location, Firefox could be triggered to execute that file by sending it a URI with the file:// prefix.
Once that happens, a script may give a malicious user access to the client's file system. Mozilla, to its credit, did not treat the issue with indifference, releasing a fix for Firefox 2 and the first security patch for Firefox 3.
In its security bulletin, Mozilla advised users of possible workarounds prior to implementing the patch, one being to leave Firefox running -- the browser can't be triggered into running the script unchecked, if it's already active. It also implied that the absence of Safari may also prevent the situation from occurring.