Security Issue in URL Protocol Handling on Windows

07.10.07 - 02:04pm

Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.

Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.

A similar interaction between Safari and Firefox was reported earlier and fixed by Apple. According to Ryan Naraine at ZDNet, Microsoft is not planning to release a patch at this time.

Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to mitigate the problem. This will prevent IE from sending Firefox malicious data. Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.

It is important to note that if you are using Firefox to browse the web you *are not* vulnerable to this attack. While we have seen no evidence of attackers exploiting this issue, there is proof of concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown websites.

We appreciate the work of the security researchers who identified this issue and the thousands of Mozilla community members who test patches and enable us to ship fixes so quickly. Mozilla is committed to identifying, prioritizing and fixing bugs to deliver the safest online experience for its users. We fix all bugs with any security risk as part of our commitment to security.

Category: Firefox, Security, Security Updates, Vulnerabilities |

Time to Deploy improvement of 25 percent Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5

The Buzz {18 trackbacks/pingbacks}

  1. Pingback: University Update - Firefox - Permanent Link to Security Issue in URL Protocol Handling on Windows on July 10, 2007
  2. Pingback: » Microsoft should block that IE > Firefox attack vector | Zero Day | ZDNet.com on July 11, 2007
  3. Pingback: Blitz - Stiri zilnice din IT, IT&C: tehnologie, internet, telecom, gadgets, jocuri » Stiri IT - Blitz RO » Vulnerabilitate de browser, dar a cui e vina? on July 11, 2007
  4. Pingback: Bloggers fixate on Google security moves — Security Bytes on July 13, 2007
  5. Pingback: homeathk.net » 研究人員發現透過IE影響Firefox的怪異漏洞 on July 14, 2007
  6. Pingback: Firebug - Network Tools Network Monitoring Network Administration Network Diagnostics News Reviews Interviews » A serious browser vulnerability, but whose? on July 15, 2007
  7. Pingback: FreeSoftNews » Blog Archive » Fedora Weekly News Issue 96 on July 16, 2007
  8. Pingback: [EU/CH] Risiken und Nebenwirkungen: Firefox rei on July 17, 2007
  9. Trackback: Internet Explorer security flaw affects Firefox... on July 17, 2007
  10. Pingback: Mozilla Security Blog » Blog Archives » Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5 on July 18, 2007
  11. Pingback: Update your Firefox!! | Razor Consulting on July 19, 2007
  12. Pingback: homeathk.net » Mozilla修補Firefox漏洞 on July 21, 2007
  13. Pingback: Mozilla Security Blog » Blog Archives » Related Security Issue in URL Protocol Handling on Windows on July 23, 2007
  14. Pingback: Related Security Issue in URL Protocol Handling on Windows · Get Latest Mozilla Firefox Browsers on July 23, 2007
  15. Pingback: .: Daniel Melanchthon :. : Man zeigt nicht mit dem Finger auf andere Leute on July 24, 2007
  16. Pingback: Larholm.com - Me, myself and I » Handling URL protocol handlers on July 25, 2007
  17. Pingback: Exchangepedia Blog - » FireFox 2.0.0.6: Mozilla fixes the IE security hole that wasn't on July 31, 2007
  18. Pingback: Clicking links on desktop gives an error in Firefox 2 « Tech Help on August 11, 2007

The Conversation {5 comments}

  1. Giorgio Maone {Wednesday July 11, 2007 @ 1:19 am}

    It’s worth noticing that Firefox users with NoScript installed have been already protected both from MacManus/Larholm remote code execution and from Rios “Universal XSS” since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622

    More in general, they’re protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm’s PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios’ PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means.

  2. Charles Burnaford {Sunday July 15, 2007 @ 9:07 am}

    Can the problem be reproduced on Linux?

  3. Firefox {Tuesday July 24, 2007 @ 5:42 am}

    Can the problem be reproduced on Linux?
    yes!!!

  4. Sally Tarbell {Tuesday August 14, 2007 @ 5:49 am}

    Can this problem be reproduced on Sun SOLARIS?

  5. What is a URL? {Friday November 23, 2007 @ 4:49 pm}

    Sally Tarbell, it is a Windows vulnerability. Not Firefox/Mozilla. So SOLARIS is safe.

Speak Your Peace

  • Comment Policy:Could go here if there's a nagging need Login Instructions: Would go here if there's a desire.