Security Issue in URL Protocol Handling on Windows
10 July 2007Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.
Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.
The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.
A similar interaction between Safari and Firefox was reported earlier and fixed by Apple. According to Ryan Naraine at ZDNet, Microsoft is not planning to release a patch at this time.
Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to mitigate the problem. This will prevent IE from sending Firefox malicious data. Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.
It is important to note that if you are using Firefox to browse the web you *are not* vulnerable to this attack. While we have seen no evidence of attackers exploiting this issue, there is proof of concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown websites.
We appreciate the work of the security researchers who identified this issue and the thousands of Mozilla community members who test patches and enable us to ship fixes so quickly. Mozilla is committed to identifying, prioritizing and fixing bugs to deliver the safest online experience for its users. We fix all bugs with any security risk as part of our commitment to security.
23 Responses to “Security Issue in URL Protocol Handling on Windows”
July 10th, 2007 at 4:46 pm
[…] Link to Article firefox Permanent Link to Security Issue in URL Protocol Handling on Windows » […]
July 11th, 2007 at 1:19 am
It’s worth noticing that Firefox users with NoScript installed have been already protected both from MacManus/Larholm remote code execution and from Rios “Universal XSS” since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622
More in general, they’re protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm’s PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios’ PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means.
July 11th, 2007 at 11:00 am
[…] Snyder, in a follow-up blog entry, spells it out clearly. Any Windows application that calls a registered URL protocol without […]
July 11th, 2007 at 12:13 pm
[…] pare sa se aplice in aceasta situatie. Window Snyder, sefa diviziei de securitate de la Mozilla, a afirmat ca dezvoltatorii Mozilla vor crea un patch astfel incat Firefox sa nu mai accepte orice fel de date […]
July 13th, 2007 at 1:50 am
[…] Since I posted that, Mozilla security chief Window Snyder has sounded off about the flaw in her blog. […]
July 14th, 2007 at 5:12 am
[…] Mozilla的官方部落格中說明,當使用者透過IE瀏覽一個惡意網站並點選了一惡意連結,就可能透過IE中的命令列啟動其他的視窗應用程式,而且會將惡意資訊傳遞到其他視窗應用程式中,如果該惡意連結讓IE啟動的是Firefox,那麼駭客就能在遠端於Firefox中執行任意程式。 […]
July 15th, 2007 at 9:07 am
Can the problem be reproduced on Linux?
July 15th, 2007 at 12:35 pm
[…] but failure being an orphan seems fitting here. Window Snyder, who heads security at Mozilla, wrote that Mozilla developers will patch Firefox so it no longer accepts bad data from IE. But she […]
July 16th, 2007 at 8:19 am
[…] http://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/ […]
July 17th, 2007 at 3:19 am
[…] nicht berprft, bevor er sie weiter reicht. Mozillas Sicherheitschefin, Window Snyder, hat bereits angekndigt, dass die Mozilla-Entwickler die Lcke mit der kommenden Version 2.0.0.5 stopfen werden. […]
July 17th, 2007 at 5:24 pm
Internet Explorer security flaw affects Firefox…
I was perusing Information Week as I often visit them due to the wealth of topics when I came across this. If you have both Internet Explorer and Mozilla Firefox on your computer, you could be at risk for a URL flaw caused by Internet Explorer passing…
July 18th, 2007 at 11:49 am
[…] Security Issue in URL Protocol Handling on Windows […]
July 19th, 2007 at 6:25 pm
[…] http://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/ http://secunia.com/advisories/25984/ http://www.securityfocus.com/bid/24837 […]
July 21st, 2007 at 6:15 am
[…] Mozilla之前在官方部落格中說明該漏洞,指出當使用者透過IE瀏覽惡意網站並點選惡意連結,就可能透過IE中的命令列啟動其他的視窗應用程式,而且會將惡意資訊傳遞到其他視窗應用程式中,如果該惡意連結讓IE啟動的是Firefox,那麼駭客就能在遠端於Firefox中執行任意程式。 […]
July 23rd, 2007 at 6:05 pm
[…] Security Issue in URL Protocol Handling on Windows […]
July 23rd, 2007 at 7:58 pm
[…] Security Issue in URL Protocol Handling on Windows On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application […]
July 24th, 2007 at 1:38 am
[…] Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to… […]
July 24th, 2007 at 5:42 am
Can the problem be reproduced on Linux?
yes!!!
July 25th, 2007 at 11:03 am
[…] protocol handlers. Jesper Johanson has expressed his thoughts, as has David LeBlanc, Billy Rios, Window Snyder and pdp. Billy Rios just detailed yet another potential attack vector for protocol […]
July 31st, 2007 at 1:39 pm
[…] 10: Mozilla’s head of Security Strategy Window Snyder writes: “Today security firm Secunia released an advisory on a security issue found (apparently) […]
August 11th, 2007 at 10:17 pm
[…] details the problem as well in different […]
August 14th, 2007 at 5:49 am
Can this problem be reproduced on Sun SOLARIS?
November 23rd, 2007 at 4:49 pm
Sally Tarbell, it is a Windows vulnerability. Not Firefox/Mozilla. So SOLARIS is safe.