Related Security Issue in URL Protocol Handling on Windows

07.23.07 - 04:46pm

On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application receiving the bad data.

Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.

We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now.

We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process.

For more information: https://bugzilla.mozilla.org/show_bug.cgi?id=389106

Category: Security, Vulnerabilities |

BaySec is tonight! Launching local programs through FileType handler

The Buzz {27 trackbacks/pingbacks}

  1. Pingback: University Update - Firefox - Permanent Link to Related Security Issue in URL Protocol Handling on Windows on July 23, 2007
  2. Pingback: » Mozilla caught napping on URL protocol handling flaw | Ryan Naraine’s Zero Day | ZDNet.com on July 23, 2007
  3. Pingback: Window Snyder fesses up - Firefox also passes "bad data" - Spyware Sucks on July 23, 2007
  4. Pingback: XoftSpy SE Antispyware » Blog Archive » Window Snyder fesses up - Firefox also passes “bad data” on July 24, 2007
  5. Pingback: Firefox could also be used as the entry point | GNUCITIZEN on July 24, 2007
  6. Pingback: IE’s unescaped URLs vulnerability also present in Firefox : Mozilla Links on July 24, 2007
  7. Pingback: YouTube Elevates Top Users to Partners - BlogStuffPro.com on July 24, 2007
  8. Pingback: IE’s unescaped URLs vulnerability also present in Firefox · Get Latest Mozilla Firefox Browsers on July 24, 2007
  9. Pingback: Mozilla: Firefox is flawed just like IE on July 24, 2007
  10. Pingback: Mozilla Admits Firefox Has Same Flaw as IE | CTF Blog on July 24, 2007
  11. Pingback: Techzi » Blog Archive » Mozilla: Firefox is flawed just like IE on July 24, 2007
  12. Pingback: Be:Fox » La faille critique d’exploitation du protocole URL n’est pas totalement corrigée on July 24, 2007
  13. Pingback: Firefox: Nuove Falle, ed Imbarazzo « Simply Security on July 25, 2007
  14. Pingback: Attack of the URL Vulnerabilities | GNUCITIZEN on July 25, 2007
  15. Pingback: It takes courage to admit your product is insecure | Security Insider on July 25, 2007
  16. Pingback: Messy URL protocol-handling drama finally winding down — Security Bytes on July 25, 2007
  17. Pingback: [SSD] Security & Development Blog » Insisto: grave riesgo amenaza a usuarios de Firefox en Windows XP on July 27, 2007
  18. Pingback: Mozilla Security Blog » Blog Archives » Firefox 2.0.0.6 now available on July 30, 2007
  19. Pingback: Firefox 2.0.0.6 now available · Get Latest Mozilla Firefox Browsers on July 30, 2007
  20. Pingback: Mozilla rushes out second Firefox patch this month on July 31, 2007
  21. Pingback: Mozilla Rushes Out Another Firefox Patch « TechTitans™ on July 31, 2007
  22. Pingback: Firefox 2.0.0.6 - Yes, it’s Another Update - CyberNet News on July 31, 2007
  23. Pingback: Mozilla Firefox 2.0.0.6 Released · Get Latest Mozilla Firefox Browsers on July 31, 2007
  24. Pingback: Mozilla Firefox v2.0.0.6 is available on August 1, 2007
  25. Pingback: Mozilla Firefox v2.0.0.6 is available on August 1, 2007
  26. Pingback: Mozilla Firefox 2.0.0.6 Released on August 1, 2007
  27. Pingback: Official Blog for Goviphosting.com » Mozilla rushes out second Firefox patch this month on August 1, 2007

The Conversation {9 comments}

  1. Aaron Margosis {Monday July 23, 2007 @ 10:09 pm}

    I think Alun Jones hits the nail right on the head in this item:

    http://msmvps.com/blogs/alunj/archive/2007/07/22/firefoxurl-url-vulnerability.aspx

    and in his comment here regarding the C/C++ argument point:

    http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx#6570

  2. Giorgio Maone {Tuesday July 24, 2007 @ 6:36 am}

    Bug 389106 is already fixed, big kudos for biesi and the other moz devs!

    While we’re waiting for Firefox 2.0.0.6 to ship, NoScript users can enjoy an early fix: http://noscript.net/getit#direct

  3. Bill Feagin {Tuesday July 24, 2007 @ 9:40 am}

    I just got an automatic update from Firefox that needed to be installed. Half way through the installation, it quit saying that my current security settings did not permit me to install the updates. The program was so hung up that I had to uninstall Fire Fox all together. When I tried to reinstall Fire Fox, I got the same message saying that my current security set up did not allow me to install Fire Fox. How do I fix this ? Bill

  4. Blackstorm {Tuesday July 24, 2007 @ 3:01 pm}

    My apologies for the previous comment about the delay of moderation… I think, anyway that the solution lie only in a redefinition of firefoxurl URI handler… actually the quotes can be used to create bad formed url, no matter what patches you release…

  5. asdf {Sunday July 29, 2007 @ 1:14 am}

    Both Microsoft and Mozilla are wrong on this one.

    Microsoft either:

    1. Should have used an array of strings as opposed to a single string for CreateProcess and WinMain.
    2. Should have written ShellExecute a less naive way that validates the format string and takes an array of strings instead of a string for parameters to do things the argc/argv way.
    3. Shouldn’t have used ShellExecute for url handlers.

    Given the above situation, it’s my opinion that IE is doing the correct thing and that Mozilla is doing the incorrect thing by trying to do things based on argc/argv instead of GetCommandLine because:

    1. The ShellExecute way has 10+ years of precedence.
    2. The ShellExecute way of URL handlers has been documented forever and “fixing” this would break some apps.
    3. If Firefox tries to do it the argc/argv way, there will be a hodgepodge of programs that read the documentation and did it the IE way and others that expect the command line to work the argc/argv way. That would be an even bigger nightmare than we have now.
    4. Trying to tack on the argc/argv way given the above model is lossy and will lead to multiple escaping/unescaping which breaks the preservation recommendation in rfc3986.

  6. zend {Monday December 17, 2007 @ 4:15 am}

    A hacker could use Firefox to launch another application, and possibly run malicious instructions. Now there is even some speculation that the bug is not even the fault of the browser, but is actually a flaw in Windows. Man, I can’t remember the last time that no one would take responsibility for a security-related bug like this.

  7. Cleocin {Tuesday January 22, 2008 @ 12:52 am}

    been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that “defense in depth is the best way to protect people” (although that weblog

  8. Andrea {Saturday July 26, 2008 @ 5:19 am}

    I use IE on my personal computer but Firefox is common on the PCs at the internet cafes here in Prague. Many hotels also use Firefox as the browser of choice on their computers reserved for guests.

    It’s my estimation that a problem occurring on both browsers on Microsoft should be fixed before we all chuck it and switch to those cool Apples that have just come out. Yeah!

  9. Day Spring Center {Monday January 5, 2009 @ 1:53 pm}

    I think this is a good blog & this information is very helpful & My site Christian counseling is about counseling in Dallas, Palno, Richardson.

Sorry, comments for this entry are closed at this time.