By Tom Espiner
Friday, July 27 2007 11:02 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,62029521,00.htm

The flaw lay in the way Firefox version 2.0.0.5 handled uniform resource identifiers (URIs), protocols that allow browsers to access software. Firefox failed to properly handle some URIs, a flaw in the Web browser that could have allowed remote malware execution.

Bugzilla@Mozilla posted the bug as "resolved fixed" on Wednesday. A link to the patch is available through the bug post.

Netscape Navigator 9 was also affected by the flaw, said Billy Rios, the security researcher who discovered the flaw.

Rios called for developers to pay more attention to possible URI-handling vulnerabilities in their code, after a spate of browser difficulties involving URIs in Internet Explorer and Firefox.

According to Rios, developers must be aware that applications installing URI handlers on a PC can give an extra attack vector, because an attacker can then embed a link to the application in a Web page.

"Developers who intend to or have already registered URIs for their applications must understand that registering a URI handler exponentially increases the attack surface for that application," said Rios in his blog. "Please review your registered URI-handling mechanisms and audit the functionality called by those URIs."