Well!
"It's a problem on both sides."
Thank you and goodnight.
It's been an eventful month for Window Snyder. As chief security something or other at Mozilla, Snyder has shepherded two updates that fixed critical vulnerabilities in the way the browser handles uniform resource identifiers. The most recent patch punctuated several weeks of debate over exactly who owned the vulnerability. …
The problem was that Firefox registers the 'firefoxurl:' URL scheme and failed to validate the data they were getting through it. That they are not validating the data is what makes it a Firefox problem.
They are using the same mechanism that Real Player uses to register 'rtsp:', Media Player to register 'mms:', Steam to register 'steam:', your mail program uses to register 'mailto:', and your browser uses to register 'http:' and 'https:'.
With the variety of url schemes supported, it's hardly reasonable to assume Microsoft can really validate each type.