Firefox on Windows fails to properly parse command line parameters that are passed, allowing third party applications to run arbitrary code within the context of the trusted Chrome setting. Specifically, it is the registration of the 'FirefoxURL' handler which allows for commands to be passed to Firefox.

A separate issue exists with Firefox's handling of wyciwyg: URIs. It is possible for a local user (or website) to bypass the protections preventing access to these cache related URIs, thus allowing access to potentially sensitive content.

Description:

A demonstration of a vulnerability which allows attackers to pass arbitrary content to Firefox for execution in the 'Chrome' context has been released, using a link from within Internet Explorer to execute the attack. Another vulnerability has also been identified which allows for access to potentially sensitive cache content (on all systems).

Based on the available source code, it is possible for attackers to embed links in their websites such that when they are visited with Internet Explorer, arbitrary code can be run against Firefox on Windows.

Mitigation:

It is possible to deregister the 'FirefoxURL' handler in the Registry (caution is urged when manipulating the Registry), by modifying the setting of the 'HKEY_CLASSES_ROOT\FirefoxURL' entry.

Updates:

Not Yet Available

Source:

http://larholm.com/2007/07/10/internet-explorer-0day-exploit http://lcamtuf.coredump.cx/ffcache

Exploits:

http://larholm.com/2007/07/10/internet-explorer-0day-exploit http://lcamtuf.coredump.cx/ffcache

wyciwyg - https://bugzilla.mozilla.org/show_bug.cgi?id=387333