Mozilla fixes Firefox URL passing flaw
Mozilla has released Firefox 184.108.40.206 to fix two security vulnerabilities.
Of the two flaws, the more serious occurs where the browser fails to percent-encode spaces and double quotes in URLs passed to helper applications passed to helper applications. This allow malicious web pages to open programs with potentially dangerous command line parameters.
The other vulnerability is a privilege elevation bug involving extensions, which was accidentally introduced in Firefox 220.127.116.11.
The URL protocol handling flaw is similar to the firefoxurl:// URL vulnerability, which was fixed with the release of Firefox 18.104.22.168. This let an attacker user Internet Explorer to launch Firefox with malicious command line parameters. In the flaw fixed in Firefox 22.214.171.124, Firefox is used as the attack vector to start other applications with dangerous arguments. The exploit could be extended to execute any program in a known location, possibly passing dangerous command line parameters.
Firefox 126.96.36.199 is available via the built-in update feature or from mozilla.com/firefox. Detailed information can be found in the release notes. Equivalent updates to Thunderbird and SeaMonkey are expected soon.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.