Mozilla has released Firefox 2.0.0.6 to fix two security vulnerabilities.
Of the two flaws, the more serious occurs where the browser fails to percent-encode spaces and double quotes in URLs passed to helper applications passed to helper applications. This allow malicious web pages to open programs with potentially dangerous command line parameters.
The other vulnerability is a privilege elevation bug involving extensions, which was accidentally introduced in Firefox 2.0.0.5.
The URL protocol handling flaw is similar to the firefoxurl:// URL vulnerability, which was fixed with the release of Firefox 2.0.0.5. This let an attacker user Internet Explorer to launch Firefox with malicious command line parameters. In the flaw fixed in Firefox 2.0.0.6, Firefox is used as the attack vector to start other applications with dangerous arguments. The exploit could be extended to execute any program in a known location, possibly passing dangerous command line parameters.
Firefox 2.0.0.6 is available via the built-in update feature or from mozilla.com/firefox. Detailed information can be found in the release notes. Equivalent updates to Thunderbird and SeaMonkey are expected soon.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
