Security Issue in URL Protocol Handling on Windows
07.10.07 - 02:04pm
Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.
Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.
The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.
A similar interaction between Safari and Firefox was reported earlier and fixed by Apple. According to Ryan Naraine at ZDNet, Microsoft is not planning to release a patch at this time.
Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to mitigate the problem. This will prevent IE from sending Firefox malicious data. Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.
It is important to note that if you are using Firefox to browse the web you *are not* vulnerable to this attack. While we have seen no evidence of attackers exploiting this issue, there is proof of concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown websites.
We appreciate the work of the security researchers who identified this issue and the thousands of Mozilla community members who test patches and enable us to ship fixes so quickly. Mozilla is committed to identifying, prioritizing and fixing bugs to deliver the safest online experience for its users. We fix all bugs with any security risk as part of our commitment to security.
It’s worth noticing that Firefox users with NoScript installed have been already protected both from MacManus/Larholm remote code execution and from Rios “Universal XSS” since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622
More in general, they’re protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm’s PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios’ PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means.
Can the problem be reproduced on Linux?
Can the problem be reproduced on Linux?
yes!!!
Can this problem be reproduced on Sun SOLARIS?
Sally Tarbell, it is a Windows vulnerability. Not Firefox/Mozilla. So SOLARIS is safe.
I would like to express my deep appreciation for what you are doing for the people all around the world to help them to being able of communicate with each other
As a member I want to say I am so glad that I am a member in the best of the best Internet Browser in the world.
As well as I need your help for same problem which I have
For example I want to be security my I-P and passing filtering Sites by V-P-N software but I don’t know how I do can do it.
Finally I wish for all Mozilla Firefox personals to be happy and lucky and healthy that thy are working everywhere
Waiting for your kind response
Best regards,
19/01/2009
Azizi