Mozilla Firefox 2.0.0.6已经发布。这个浏览器更新修复了两个安全,在Mozilla基金安全顾问页的Firefox 2.0.0.6部分中有详细记载。 一个更严重的瑕疵涉及Firefox在帮助程序中不使用百分号编码URL密码中的空格和双引号,这能允许恶意网页用潜在危险的命令行参数的打开程序。另一个脆弱性是一个权限提高bug 包含扩展,这是很偶然得引进Firefox 2.0.0.5的。 The URL protocol handling flaw is a similar class of exploit to the firefoxurl:// URL vulnerability, which was fixed with the release of Firefox 2.0.0.5. In the original firefoxurl:// exploit, an attacker could use Microsoft Internet Explorer to launch Firefox with malicious command line parameters. In the flaw fixed in Firefox 2.0.0.6, Firefox is used as the attack vector to start other applications with dangerous arguments. The exploit could be extended to execute any program in a known location, possibly passing dangerous command line parameters. Whether or not it's Firefox's responsibility to ensure that data passed to external applications is (relatively) safe is a matter for debate. When the original firefoxurl:// URL vulnerability was discovered, Microsoft claimed that IE was not at fault. However, as Mozilla maintained at the time that the blame lay with IE, it would have been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that "defense in depth is the best way to protect people" (although that weblog post says that only Windows is affected, discussion in bug 389106 indicates that Linux and Mac OS X may also be vulnerable). Firefox prompts the user before launching most helper applications and shows the command line parameters, so users of vulnerable versions would receive some warning of an attack (though only the savvy are likely be knowledgeable enough to distinguish between safe and malicious command lines). However, some protocols related to email and newsgroups (specifically, mailto, news, nntp and snews) do not prompt the user before launching an external application, so vulnerable mail and newsgroups applications could be exploited with minimal user intervention (Thunderbird 2.0.0.4 and earlier is one such application, due to its variant of the firefoxurl:// problem). More details about Firefox 2.0.0.6 can be found in the Firefox 2.0.0.6 Release Notes. The new version can be downloaded from the Firefox 2.0.0.6 product page. Existing Firefox 2 users with the software update feature enabled (it's on by default) will be prompted to upgrade. Equivalent releases of Thunderbird (both 2 and 1.5) and SeaMonkey are expected soon. |
