Home > Articles > New Attack Gets at Firefox Through IE

New Attack Gets at Firefox Through IE

Plus: iPhone's Safari problem, and a slew of critical Microsoft patches.

Bugs and Fixes graphicBeware, dual browser users: In a rare twist, a Mozilla Firefox browser bug could give an attacker control of your PC if you happen to click a booby-trapped link in Microsoft's Internet Explorer.

If you browse with IE but don't have Firefox installed, you're fine. If you browse with Firefox, you're hunky-dory. But if you have both and click a poisoned link in IE, Microsoft's browser will start Firefox, which will run the attack command contained in the passed-along URL.

Though each group said that the other was at fault, Mozilla released a fix in its version 2.0.0.5 update, sent via Firefox's automatic update feature. If you're an IE user and haven't started Firefox in a while, fire up the alternate browser and select HelpCheck for Updates. Check out the Firefox patch, which also squashes a few other security bugs.

A problem in the iPhone's Safari browser introduces a hole that an attacker might exploit via a drive-by download from a malicious Web page to take over the phone. Researchers at Independent Security Evaluators discovered the flaw, which affects Mac and Windows versions of Safari, too. To make sure you have the mobile fix, connect your iPhone to your PC, select your phone in iTunes, and click Update. For details and links, see Mac and Windows patches.

Crucial Microsoft Fixes

Microsoft's latest batch of patches (all available via Automatic Updates) corrects three critical flaws, along with other less dangerous holes. The most important vulnerability affects users of Windows XP SP2 and 2000 SP4 who've installed versions 1.0, 1.1, or 2.0 of the popular .Net Framework, used by many programs--including some excellent free downloads. Viewing a poisoned site with IE could trigger an attack. And an Excel vulnerability could expose your PC to a takeover if you open a tainted spreadsheet in Excel 2000. The flaw is rated only "important" for newer Excel versions. The other critical flaw is mostly for IT administrators, as it hits Windows 2000 Server and Server 2003's implementation of Active Directory.

Adobe's Flash Player can trigger an attack if you open a specially crafted .swf movie file in versions matching or prior to 9.0.45.0, 8.0.34.0, or 7.0.69.0 on any supported OS. Use the auto-update feature to get the fix.

Apple scotched a bevy of nasty bugs in its QuickTime player that would let attackers run any command on your system after you viewed a rigged site or opened a hacked movie file. Versions prior to 7.2 for Windows XP SP2, Windows Vista, and Mac OS X are at risk. Apple's security bulletin has details, plus links to the corrected version, sent via Apple's automatic updates.

Stuart J. Johnston



Subscribe to PC World Magazine