Mozilla Security Blog

Window Snyder’s Blog

Categories
Favorite Links
Recent Entries
Meta

« PreviousNext »

Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5

18 July 2007

Firefox 2.0.0.5 is now available and there is a fix for the URL protocol handling issue described here. We warned that other Windows applications may be vulnerable to this Internet Explorer issue, and on Sunday Nate Mcfeters, Billy Rios, and Raghav Dube posted a proof of concept that demonstrates the same attack through Internet Explorer to execute code in Trillian.  Additionally, Thor Larholm says I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few.”

This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to. Mark Griesi is quoted in Infoworld saying “We don’t feel that there’s an issue in IE, and therefore, there’s nothing to be fixed.”

Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer.

Posted in Security Updates, Vulnerabilities, Security, Announcements, Firefox | Trackback | del.icio.us | Top Of Page

    21 Responses to “Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5”

  1. University Update - Firefox - Permanent Link to Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5 Says:
    July 18th, 2007 at 12:46 pm

    […] Link to Article firefox Permanent Link to Fix for Windows URL Protocol Handling Problem in Firefox […]

  2. New FireFox 2.0.0.5 Fixes Security Issues at TabsFolio Says:
    July 18th, 2007 at 5:59 pm

    […] Fix for Windows URL protocol handling problem Bookmark This Post: These icons link to social bookmarking sites where readers can share and discover new web pages. […]

  3. pseudotecnico:blog » Firefox, Microsoft e il bug nell’URI handler Says:
    July 18th, 2007 at 10:11 pm

    […] subito si è parlato di un bug di Firefox e non di Internet Explorer: ma ne siamo così sicuri? A quanto pare il bug in questione affligge un numero imprecisato di applicazioni Windows: qui c’è un POC […]

  4. Poop on Firefox Says:
    July 20th, 2007 at 8:04 am

    So how is IE supposed to correctly parse every potential protocol handler securely? Each can do whatever they want and it is left open to the protcol implementor to do this safely. If you want IE to fix this, then I think the appropriate fix for them to do is to kill completely the whole idea of pluggable protocols because clearly the implementors of these protocols cannot do their job correctly.

  5. Window Snyder Says:
    July 20th, 2007 at 10:09 am

    I noticed that “Poop on Firefox” was posted by someone from tide535.microsoft.com.

    Thanks for contributing MS, I agree that there’s something wrong with the architecture if you cannot mitigate this type of attack as a primary entry point into the system.

  6. Be:Fox » Firefox et Thunderbird en version 2.0.0.5 Says:
    July 20th, 2007 at 10:14 am

    […] Microsoft au même titre qu’un certain nombre d’autres applications. Comme le précise Window Snyder sur son blog, « ce correctif protège Firefox contre l’acceptation de données erronées venant de […]

  7. Mark Says:
    July 20th, 2007 at 7:55 pm

    It’s not clear why you think IE has a vulnerability, since Firefox behaves pretty much the same way.

    Claims that Firefox sanitizes URIs are incorrect. Use the MSDN example and create a webpage with the following link:

    Click meClick me

    Visit in Firefox 2.0.0.5 and note the alert.exe application gets two parameters.

  8. Mark Says:
    July 20th, 2007 at 7:56 pm

    Replaced > and < with braces for readability.

    Claims that Firefox escapes URIs are incorrect. Use the MSDN example and create a webpage with the following link:

    [a href=’alert:error” -chrome:foo’]Click me[/a][a href=’alert:error” -chrome:foo’]Click me[/a]

    Visit in Firefox 2.0.0.5 and note the alert.exe application gets two parameters.

  9. Eh Says:
    July 21st, 2007 at 2:19 am

    I fail to see why problem is on IE. It correctly passes data to 3rd party application, which in turn fail to validate input. How that it is a IE problem? Same can be said that Firefox does not protect Trillian users from Trillian problems.
    If thinking threat modeling wise (*snork*), IE on this case is just vector to vulnerability in Firefox. Firefox needs to fix what it accepts.

    Mr Johansson summarizes this quite well on his blog post:
    (Jesper’s Blog)

  10. Pippetto Says:
    July 21st, 2007 at 7:10 am

    Hi Window,
    thanks for the suggestion for using a safer browser.
    Care to explain though why:
    1) the same “security” bug you claim affects IE, it seems to affect Firefox as well:
    (Jesper’s Blog)
    2) such “bug” was not fixed in the last version of Firefox, to “prevent attackers to take advantage of this vulnerability in Firefox”
    I hope security is really a priority in Mozilla! Good job!
    pippetto

  11. Ted Says:
    July 21st, 2007 at 10:08 am

    You should read this blog:
    (Jesper’s Blog)
    Basically by using the same logic than Mozilla uses on this - Mozilla is not protecting Trillian from Trillian flaws either.

  12. Blackstorm Says:
    July 21st, 2007 at 11:10 am

    @Window Snyder:
    “Thanks for contributing MS, I agree that there’s something wrong with the architecture if you cannot mitigate this type of attack as a primary entry point into the system.”

    Something wrote with the architecture? Are you joking? Firefox is not able to handle its own URI, so the problems is with Windows architecture? Be serious. How can be supposed that IE is in any mean able to handle a someapplicationurl URI? It just pass it to someapplication, then the app must handle its own URI. And yeah, Trillian is bugged too… Oh, and btw, I would like if you read this:
    (Jesper’s Blog)
    and then try to imagine how can it supposed for IE to patch this vulnerability of FF.

  13. .:Computer Defense:. » Firefox vs Internet Explorer… Who’s Really At Fault Says:
    July 21st, 2007 at 2:59 pm

    […] 2.0.0.5) which prevents Firefox from accepting bad data passed in from Internet Explorer and Window Snyder commented on the Mozilla Security blog. A second post was written by Asa Dotzler which questioned the IE […]

  14. Sam Spade Says:
    July 22nd, 2007 at 5:02 pm

    Firefox suffers from the same “flaw” that you are slamming IE about.

    Cite: Hey Mozilla, quotes are not legal in a URL:

    (Jesper’s Blog)

    Now that it has been proven that Firefox does the same thing when it comes to passing data to protocol handlers, would you like to reconsider your statement that “Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer.”

  15. smark Says:
    July 23rd, 2007 at 11:06 am

    Any comments?

    (Jesper’s Blog)

  16. Mozilla Recommends Firefox 2.0 Againstr Internet Explorer 7 » D’ Technology Weblog: Technology News & Reviews Says:
    July 23rd, 2007 at 3:06 pm

    […] from taking advantage of this vulnerability in Internet Explorer,” stated Mozilla security chief Window Snyder. “This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does […]

  17. Mozilla Security Blog » Blog Archives » Related Security Issue in URL Protocol Handling on Windows Says:
    July 23rd, 2007 at 4:46 pm

    […] Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5 […]

  18. Blackstorm Says:
    July 23rd, 2007 at 5:14 pm

    I wonder why my comment is yet waiting for moderation… I think that the true can be painful. but deal with it: the bug is in FireFox, not in IE. Firefox is not able to hadle its own URI. So it’s flawed.

  19. Window Snyder Says:
    July 23rd, 2007 at 5:57 pm

    “I wonder why my comment is yet waiting for moderation”

    Busy day folks. Read the post at the top of the blog today.

  20. Firefox Says:
    July 24th, 2007 at 5:49 am

    A second post was written by Asa Dotzler which questioned the IE???

  21. Frederik Vanderstraeten Says:
    July 24th, 2007 at 9:27 am

    You all fail to see that Internet Explorer doesn’t pass Firefox a string containing the URL, as it’s supposed to do, and you’re assuming it does.
    You can trick Internet Explorer into passing Firefox not only a string containing the URL, but also additional command-line parameters, and it’s impossible for Firefox to know if Internet Explorer meant to provide the extra command-line parameters, or if it was tricked to. (Unless by sort-of-hacking the command-line by providing a switch to ignore the rest of the parameters, as Firefox developers did now.)
    Anyone asking how Internet Explorer knows how to sanitize command-line parameters, it’s as easy as this:
    It should backslash-escape whatever surrounds the %1 in the protocol handler. So in this case, “%1″, it should escape all double quotes in the URL. In the case of ‘%1′, it should escape single quotes. If you still don’t belief it’s easy, e-mail me (click my name) and I’ll send it to you in your programming language of choice.
    Yes, this is a little complicated, but that’s obviously a flaw in the Windows command-line, not in Firefox, Firefox is just using it. (Although yes, Firefox could’ve used DDE.)

Leave a Reply



Wp Plugins | WordPress

Copyright © 2007 Mozilla Security Blog

Credits: Matteo Turchetto | Andreas Viklund