Slashdot Mirror
Mozilla/Firefox Bug Allows Arbitrary Program Execution
treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.
FYI, in case you didn't read the article, you can download the fix here.
Sigs cause cancer.
And now for some helpful links:
Note: If you click on download links for firefox on the main page of mozilla.org, you get 0.9.2. The link on the firefox page @ http://www.mozilla.org/products/firefox/ still gets you 0.9.1. The link on the main page for the Linux version of Firefox still points to version 0.9.1. It seems that if you want 0.9.2 for Linux you'll have to compile it yourself.
0.8
0.9rc
0.9
0.9.1
0.9.2
And a direct link to the newest release for the really lazy:
Windows 0.9.2
The question is, what is the shellblock.xpi for?
Does Bugzilla know? Sorry, links to Bugzilla from Slashdot are disabled. Ook!
Casual Games/Downloads
If you were paying attention, you'd have noticed that it is already fixed. Not only that, but installing the fix is dead simple.
That's the opposite of hypocrisy. That's leading by example.
This particular bug has been in bugzilla for quite some time. Not sure why you think it was fixed "immediately". Remember, *you* just heard about the issue today and so the patch was not released in a timely fashion as you may believe. Awesome browser though no doubt!
This is NOT a firefox bug. It is a bug in an external protocol in windows - of which Mozilla calls. The fix is to disable ALL external windows protocols. (bittorrent, mirc, etc)
Mozilla hands off schemes it doesn't know to the operating system (Windows), and WINDOWS executes the shell scheme. It was obviously a security flaw in their eyes, too, as they fixed it in XP SP2. If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem.
There are no known exploitations of this in the wild, so it in no way shows that attackers are going for the common denominator of Mozilla installations.
Also note that this is a problem with Windows URI Handler rather than Mozilla. Mozilla passes any protocol it doesn't understand to Windows, and Windows uses it to execute a local file. That's why this problem doesn't exist in anything but Windows.
This just goes to show that Microsoft makes insecure software, and that insecurity often bleeds into otherwise trustworthy programs.
You can't judge a book by the way it wears its hair.
I don't like that the entire package had to be updated
I don't like that either. Nor the mozilla devs. So they posted a patch via an extension to be applied to ff, tb and seamonkey.
Cheers...
Strictly speaking, it's not a hole in Mozilla. It's a "feature" that can be used to turn local holes in other software into remote holes.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
That's why you need Mozilla with that handy "Launch This Page in IE" plugin. Referrer=null.
It explains the exploit is working with a specific syntax to invoke the program execution and it clearly mentionned the similar behavior for execution exists on W2K, but the syntax is different. Conclusion: The exploit exist only on WXP.
Achille Talon
Hop!
Eweek and Slashdot linked to bug 167475, implying that Mozilla developers knew about this hole in 2002. Fixing bug 167475 would have done approximately nothing to protect Mozilla users against the shell: hole in Windows, and that is why bug 167475 hasn't been fixed.
The correct bug number for this hole is bug 250180.
The shareholder is always right.
bugs are fixed instantly.
Hmm, this is obviously some strange usage of the word instantly that I wasn't previously aware of...
As the other posters have said, all over, the bug was opened in Sept 2002. Not far from 2 years ago.
A lot of people have the problem where, even after they've updated to firefox 0.9.1 (or now 0.9.2) the automatic update still says that there is a new update available (annoying).
Here's the fix:
Enter about:config in the location bar.
Enter update.app in the filter field. (Click on Enter)
Reset any prefs that appear in bold.
Restart Firefox.
taken from FireFox support newsgroup. [http://www.mozilla.org/support/]
...they didn't realise at that point that this could be launched without user interaction, that is what was posted to full disclosure - when that was written it was believed that a user had to be fooled into clicking on that link - a whole different ballgame.
True, I think this was something that should have been looked at earlier, but the same day the no-user interaction vuln was posted, there was a fix.
Is there a (proper) fix yet for the download.ject problem? No, even with the temporary "sticking plaster" that microsoft launched onto windows update this week there are still ways to exploit the problem. It will be months until a proper patch that fixes that will be released, if it is ever released at all.
Lets keep things in perspective and in context please.
I am NaN
That's not a report of this vulnerability. It's a comment about a proposed change that might have prevented this vulnerability, had it been implemented. At the time, there was no known actual vulnerability that demanded the change.
That's not a report of this vulnerability. It's a comment about a proposed change that might have prevented this vulnerability, had it been implemented. At the time, there was no known actual vulnerability that demanded the change.
The proposed change wouldn't even have prevented this vulnerability. It would have increased the requirement to exploit it from "Get the victim to visit your site" to "Get the victim to visit your site and click a link".
The shareholder is always right.
And how do you read your slashdot user page? It does not render properly (or sometimes at all) on Konqueror. As well as many other webs, because style engine is broken.
BTW, my Mozilla 1.7/linux on "shell:/bin/ls" says
Alert! shell is not a registered protocol
So, I see no problems with mozilla on linux.
Note, your Konqueror probably has some other obscure protocols, such as system:, settings: or programs: which may render your machine vulnerable by means you can't even imagine. You really should check if they are on just now.
There you are, staring at me again.
I doubt they will block Slashdotters.
It's less effort, really it is. We now return you, of your own volition, to Windoze hell.
Friends don't help friends install M$ junk.
Try this page: test page
After I installed the patch (without restarting Mozilla), all four example links were available to click on. Clicking on the fourth link, marked "Clicking this could crash your system!!!" did cause Mozilla to go crazy. It kept opening new windows stupidly fast until it crashed.
After it died, I restarted it and went back to the page - now three of the links are completely disabled (I can't even highlight them), and the link that does work (the one with the example iframe exploit) has no malicious effect - the iframe no longer shows the Windows tip but is empty instead.
So my version of Moz clearly wasn't fixed until it had been restarted.
I say we take-off and slashdot the site from orbit... it's the only way to be sure
As the other posters have said, all over, the bug was opened in Sept 2002. Not far from 2 years ago.
/. article is 2 years old, but the correct bug (250180) is one day old. Fixing the 2 year old bug would have only removed some of the methods of activating the underlying Windows bug, not all.
As other posters have been mistaken, so are you. The bug linked to in the
Mozilla
BUT, since I have XP SP2 installed (the latest release candidate), I can ignore 0.9.2 altogether? Or are other bug fixes included in this release?
You know this doesn't affect any OS that uses /bin, /sbin, or /usr directories right?
Mozilla does support different levels of trust. For example, a page on a remote website can't create an IFRAME whose SRC points at your local filesystem. A local file can do that. So I don't know what your point is.
This bug is about which Windows HTTP protocol handlers should be trusted. 'shell:' was trusted when it should not have been.
In this case, the browser is passing a URL to Microsoft's OS standard URL handler API, not the shell directly. For some benighted reason, Microsoft thought a "shell:" URL scheme was a great idea, and then left the security up to the application, not the OS, and then didn't tell anyone.
There is an auto-update for Firefox, take a look at Options > Advanced > Software Updates.
By default it will periodically check for updates for the main program and extensions. You can even set it up to automatically download and install these updates.
aus.music.scrapbook
Avant Browser and MyIE 2 are both programs that make use of IE for displaying and both contain tabbed browsing.
-]Phreak Out[-
But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?
Tools -> Options -> Advanced -> Software Update.
To check manually: Tools -> Extensions -> Update.
It's not perfect yet, but remember, it's still 0.9.x, not 1.0.
(Wait, you did want an answer, right?)
This bug report is about executing unknown protocol handlers in other places except . Mozilla has had for a while now, a blacklist of bad protocols that it should not pass to the OS.
With this patch, "shell:" was added--quickly because the infastructure was there.
--Sam
Here you go.. an obvious, step-by-step guide.
Don't even need to double-click anything, it installs from inside the browser. No need for self-extracting executables.
The security exposure is apparently due to the fact that Mozilla, running on MS-Windows, will hand off any "URI scheme" Mozilla does not recognize to the OS. This only happens on MS-Windows. Since Windows may (and indeed, does, by default) know about URI schemes that do things you would not want a web page doing (like run programs), this is considered a problem for Mozilla.
g i?id=163767
d =167475
i d=250180
I have to agree that this is a Mozilla issue. To use a slightly contrived comparison: I read my mail using UW Pine. If someone sends me a script via attachment in email, I do not want Pine to test and see if the interpreter in the she-bang line is available on the host OS. My OS is not my mail reader; I do not want my mail reader allowing everything my OS can do. Ditto my web browser.
There appear to be at least three Mozilla Bugzilla Bugs related to this (likely a lot more):
#1 = Mozilla Bug 163767 (20 Aug 2002)
"Pref to disable external protocol handlers"
http://bugzilla.mozilla.org/show_bug.c
#2 = Mozilla Bug 167475 (9 Sep 2002)
"Disable external protocol handlers in all cases, excluding <A HREF"
http://bugzilla.mozilla.org/show_bug.cgi?i
#3 = Mozilla Bug 250180 (7 Jul 2004)
"Shell: protocol allows access to local files"
http://bugzilla.mozilla.org/show_bug.cgi?
It appears that Mozilla developers have been worried about this kind of problem going back to at least Aug 2002 (see #1 above). #1 talks about an option to disable external protocol handlers (URI schemes) by default. I have to say that would be the right thing to do. "Secure by default" is the correct approach.
#2 talks about an approach that uses context to determine if an external handler should be invokved. Basically, it assumes that if a user clicked a link, they wanted to invoke the handler; anything that happened implictly (such as image loading) should not invoke an external handler. I do agree with those who commented (in that bug) that this is not the right approach. It adds complexity, and it still fails to address the fact that clicking a link is not something that should just up and run anything the web page wants. If I wanted that, I'd use MSIE.
#3 is a reference to the "shell:" URI scheme in particular being abused this way. It blocks the "shell:" scheme to prevent that abuse. It does nothing to prevent abuses of other possible schemes, though. I suspect we may see this "feature" of Mozilla rear its ugly head again in the future.
This is not a failure of Open Source in particular. Nor does it prove Mozilla is crap or Microsoft is okay after all. It means that people make mistakes. This should not surprise anyone. Stop pointing fingers and fix the problem.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
nice, doesn't seem to work though. says there are no updates, or it couldn't find any, something like that. for both methods you suggested (and for several other plugins i've got insalled). anyone else got firefox's auto-update to work?
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
It requires clicking on a link in order to execute.
No, a sneaky little bastard could use <meta> refresh tags as well.
$ whatis themeaningoflife
themeaningoflife: not found
Yeah. But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?
The French word à is spelled with a grave accent, rather than an acute one. If you're going to spell things like a smartass, at least get them right.
I hereby place the above post in the public domain.
for FireFox:
1. type "about:config" in your url bar
2. Find "network.protocol-handler.external.shell"
3. Change value to false
Thats all that you need to do to fix it.
Never Smoke A Banana.
Also, if you RTFA, you'd realise this was supposed to have been fixed in a Windows service pack, but isn't.
So yes, I blame microsoft :)
Problem doesn't exist on any other OS running firefox...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
To all the people talking about how it's hypocritical to say a security flaw like this is no biggie for Mozilla and rant and rave on about a similar flaw in IE, think about this:
* Internet Explorer 6
* Firefox 0.9
Note the difference? Well, if you can't - basically Firefox is still not a 1.0 product - one that's ready to ship, whereas Internet Explorer is up to 6.whatever... one is a product that has been released, the other is still undergoing development.
Plus, the flaw only affects Windows systems, not Mac or Linux or whatever systems so the blame also partly lays with Microsoft.
I rest my case.
From the article:
So in other words, this fix only changes a pref which is easy to do without a huge download, etc. and is easy for the clueless, since it requires one click. Future versions will have a fix for the problem in general, rather than just this specific case.
There are 11 types of people in the world: those who can count in binary, and those who can't.
Because shell: doesn't exist on Linux.
shell: is like any other protocol, such as http: or ftp:. What Necko (the networking part of Mozilla) does is if it doesn't recognize the protocol, it asks the OS. Windows recognizes shell:, and lets it do pretty much anything. None of the other OSs recognize it, which is why this only affects Windows
There are 11 types of people in the world: those who can count in binary, and those who can't.
"Take the URI file:///c:/windows/system32/mspaint.exe Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works"
C urre ntVersion\Internet Settings\Zones\0
Doesn't work on mine. I see VERY few good reasons to need to be able to launch/download applications (or download fonts and run active script etc) from a local html page and thus I have disabled those options in the My Computer zone. I've also set things up so that copying and pasting gives me a prompt too.
Change the Flags to 1 in
HKEY_CURRENT_USER\Software\Microsoft\Windows\
And the My Computer zone becomes configurable.
However do note that windows explorer seems to rely on activex or active scripting IF you are not using the classic view.
This is off-topic, but nonetheless should be of interest to mozilla users who are forced to use Outlook at work. Even more so for people who use linux at work and are forced to access email via Outlook Web Access (sob!).
Mozilla support for exchange servers (without IMAP) looks like it should now be implementable.
Bug 128284
Please vote for this bug if you desperately _desperately_ (like me!) need support for exchange!
I hate to be picky but isn't Firefox designed for XP / 2k
Mozilla is a cross-platform web browser, it has not been specificly designed to run on one type of operaing system, such as Windows. There are also packages for most flavors of Linux/UNIX, including the source code.
so you'd think the devs might consider security flaws in them to be an important issue.
What Mozilla are doing is passing anything that the browser does not understand over to the OS, with a small hope that the OS will understand what it means. The bug aparantly affects Internet Explorer too, so it's more of a bug in the Windows OS more than anything.
As far as I'm aware IE does not directly run the shell: protocol but provides a dialogue offering the option to run / save / etc.
And yes, Mozilla is cross-platform, but Firesomething is designed for windows (with ports being a secondary consideration) - it doesn't seem unreasonable to expect some security protocol changes in light of that fact.
--
Stem
It is in fact an IE insecurity too as i just tested it with internet explorer and windows 2000
Odd! The article indicates:
The shell: syntax works only on Windows XP systems. According to one report, similar functionality is available on Windows 2000 but with different syntax.
"For every expert, there is an equal and opposite expert"
As hundreds of other people have already pointed out, the bug filed 2 years ago, while it would have helped if it were fixed _would not have solved this problem_. Read it. It would have just stopped the use of and tags to open shell: URIs, not tags or form submissions, and probably not javascript either.
Also, the reported wasn't aware of this specific problem. One poster was aware of another protocol scheme that could be used to cause problems, which was subsuquently blocked -- i.e. they fixed the reason the problem reported was dangerous without fixing the "bug" itself. And, as fixing this "bug" would have damaged Mozilla's functionality, this is probably a good thing.
IE (version 6.0.2800.1106.xpsp2.030422-1633 (not kidding, that's what it says), which appears to be the latest version (no patches pending in the update utility)) opens shell: URIs. So the answer to your question is YES, IE has this bug