A second more serious security issue has been discovered which is also being fixed by the recently released Firefox 1.0.7.
The exploit, which is classified as ‘extremely critical’, exploits a security hole in the startup script of Firefox. By passing parameters in URL’s from external applications it is possible to perform commands when Firefox is configured to be the default browser.
The exploit can only be used on certain Linux and *nix systems.
“We have a work-around in xchat 2.4.5, but to really fix it you need to upgrade firefox and mozilla” XChat author Zed said to IRC-Junkie in a reaction.
To state the obvious, this is not an issue with XChat, or any other program passing on URL’s to Firefox, but an issue with Firefox/Mozilla which is using a bash script to startup.