Mozilla fixes Firefox URL passing flaw
Mozilla has released Firefox 126.96.36.199 to fix two security vulnerabilities.
Of the two flaws, the more serious occurs where the browser fails to percent-encode spaces and double quotes in URLs passed to helper applications passed to helper applications. This allow malicious web pages to open programs with potentially dangerous command line parameters.
The other vulnerability is a privilege elevation bug involving extensions, which was accidentally introduced in Firefox 188.8.131.52.
The URL protocol handling flaw is similar to the firefoxurl:// URL vulnerability, which was fixed with the release of Firefox 184.108.40.206. This let an attacker user Internet Explorer to launch Firefox with malicious command line parameters. In the flaw fixed in Firefox 220.127.116.11, Firefox is used as the attack vector to start other applications with dangerous arguments. The exploit could be extended to execute any program in a known location, possibly passing dangerous command line parameters.
Firefox 18.104.22.168 is available via the built-in update feature or from mozilla.com/firefox. Detailed information can be found in the release notes. Equivalent updates to Thunderbird and SeaMonkey are expected soon.