Security Exploit Uses Internet Explorer to Attack Mozilla Firefox

Wednesday July 11th, 2007

Firefox_User sent us a link to a CNET article about a security threat to Windows users with both Mozilla Firefox and Microsoft Internet Explorer installed. The issue can allow an attacker to remotely trick Firefox into executing potentially malicious code. However, a user has to be running Internet Explorer to actually get exploited.

Security researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When installed on Windows, Firefox registers a URL protocol handler to handle firefoxurl:// URLs (this works much like a http:// or ftp:// URL protocol handler). If an IE user visits a webpage that tries to call a firefoxurl:// URL (for example, using an iframe), IE will launch Firefox with no further prompting, passing it the URL. Neither IE nor Firefox escape or sanitise the URL, which allows an attacker to inject additional parameters into the command line used to invoke Firefox. Used in combination with the -chrome parameter, the attacker can make Firefox execute dangerous JavaScript code.

There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, while Secunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. quotes Oliver Friedrichs of Symantec's Security Response Center, who says, "It's a little bit of both."

On the official Mozilla Security Blog, the Mozilla Corporation's Window Synder (who used to work for Microsoft) says that a fix will be included in the forthcoming Firefox That said, she seems to suggest that she considers this to be mostly a problem with IE, noting that Apple fixed a similar issue with Safari recently. However, according to the ZDNet Zero Day security weblog, Microsoft claims the firefoxurl:// bug "is not a vulnerability in a Microsoft product".

On his weblog, Jesper Johansson (who also used to work for Microsoft), says the firefoxurl:// flaw is a Mozilla problem. He also provides instructions for unregistering the URL protocol handlers.

Thanks to roseman for some of the links used in this report.

#20 Re: Re: Re: Re: Re: Blame?

by MadMaverick9

Thursday July 12th, 2007 10:32 PM

You are replying to this message

One more time ....

So if mozilla decides to enhance the functionality of the "firefoxurl:" handler (additional parameters in the url for example), you expect IE to make the same enhancements on their side. It doesn't work that way.

"... gives me the urge of hitting someone with a blunt object." - please watch your language and keep it nice.

Please read Jesper's blog regarding this; he explains it better than I can: <…-firefox-gt-ie-0-day.aspx>

"Likewise, IE has no knowledge of what Firefox considers a valid URL and will simply pass on what it gets. Firefox needs to validate that it is not doing something untoward with that input. There is nothing in the protocol handler that informs IE how to perform input validation."

Get it???

Maybe I invoke the "firefoxurl:" handler from my own app and pass it some bad, bad input data. no IE involved here ....

It is always the receiver's responsibility to check its input, no matter what fancy checks the sender may have done. You do not rely on the sender havig done any kind of checking.

Same for cgi scripts; you never ever assume that your cgi script is only called from your webpage which has fancy javascript input checking. There are many other ways to call cgi scripts. So the cgi script always needs to check its input data ...

I give up ... if you don't understand ...