Slashdot Mirror
Mozilla/Firefox Bug Allows Arbitrary Program Execution
treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.
FYI, in case you didn't read the article, you can download the fix here.
Sigs cause cancer.
And now for some helpful links:
Note: If you click on download links for firefox on the main page of mozilla.org, you get 0.9.2. The link on the firefox page @ http://www.mozilla.org/products/firefox/ still gets you 0.9.1. The link on the main page for the Linux version of Firefox still points to version 0.9.1. It seems that if you want 0.9.2 for Linux you'll have to compile it yourself.
0.8
0.9rc
0.9
0.9.1
0.9.2
And a direct link to the newest release for the really lazy:
Windows 0.9.2
The question is, what is the shellblock.xpi for?
Does Bugzilla know? Sorry, links to Bugzilla from Slashdot are disabled. Ook!
Casual Games/Downloads
"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000"...there goes a perfectly good Ha-Ha!. You've bested me this time *NIX...But you haven't seen the last of ME! BWAHAHA!
Releases are available already. One of the (many) reasons I switched to the Gecko browsers from IE, because they actually update their software.
Note how fast it was patched compared to the fact that IE still doesn't have tabbed browsing.
If you liked my post,
I guess that this is a big deal because I can't remember the last time Mozilla had a remote hole in it.
MOUNT TAPE U1439 ON B3, NO RING
"Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites."
Seriously.
I can't help but think that this thread from earlier today can be seen as good news from a security context...
Just how does Mozilla/FireFox think it's going to keep malware from tricking the users into granting permission when the clueless masses come over from IE?
"Researchers are reporting another security issue in Web browsing under Windows"
/bin, /sbin, and /usr directories to /zurg, /mumph, and /splunge. Bring it, you haxx0rs!
Sounds like a Windows problem, not a Mozilla problem. Oh, wait a minute...
Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle.
Ding! Next. However:
The attacker would have to know the location in the file system of the program
So just in case, I'm renaming my
malicious persons are much more unlikely to target any vulnerabilites
I disagree... if anything, malicious people are MUCH more likely to target vulnerabilities.
$0.02 (CDN)
who's leaving it unfixed?
Of course bugs will appear in Firefox.
Nobody in their right mind can expect a product to be perfect, but what makes Mozilla different is that bugs are fixed instantly. And that's because of the open source community, which is far more reliable than the competition.
People might disagree with me, but I still think these bugs (and their immediate fixes) only show how great open source really is.
Erm, the exploit is fixed. I hate hypocrisy as much as the next person, but RTFP.
I watched C-beams glitter in the dark near the Tannhauser gate.
This is NOT a firefox bug. It is a bug in an external protocol in windows - of which Mozilla calls. The fix is to disable ALL external windows protocols. (bittorrent, mirc, etc)
How dangerous Mozilla can be. Everyone should be listening to Microsoft and use a secure browser such as Internet Explorer that isn't littered with security vulnerabilities.
Mozilla hands off schemes it doesn't know to the operating system (Windows), and WINDOWS executes the shell scheme. It was obviously a security flaw in their eyes, too, as they fixed it in XP SP2. If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem.
in ie if i type
file:///c:/windows/system32/mspaint.exe
I can load the program, in firefox it prompts me to download it and disables the open option.
does this mean IE has always been vulerable to this type of bug?
Strictly speaking, it's not an exploit in Mozilla/Firefox. It's a hole that can be used to access exploits in other software -- basically, it can turn what was a local exploit into a remote one.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Isn't this a bit like the bug that Safari (and OS X URI handling in general) had earlier?
English is easier said than done.
Well, for all those who are browser-shopping, FireFox gets marked off the list of contenders. Who's next?
NCSA Mosaic?
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
There are no known exploitations of this in the wild, so it in no way shows that attackers are going for the common denominator of Mozilla installations.
Also note that this is a problem with Windows URI Handler rather than Mozilla. Mozilla passes any protocol it doesn't understand to Windows, and Windows uses it to execute a local file. That's why this problem doesn't exist in anything but Windows.
This just goes to show that Microsoft makes insecure software, and that insecurity often bleeds into otherwise trustworthy programs.
You can't judge a book by the way it wears its hair.
I don't like that the entire package had to be updated
I don't like that either. Nor the mozilla devs. So they posted a patch via an extension to be applied to ff, tb and seamonkey.
Cheers...
Please point out the hypocrasy.
I don't hear the OSS community pretending their software has no bugs or holes.
Silly rabbit
OK, that's it you guys. No more talk of how IE is so insecure because of Microsoft's 'monoculture.' Security issues, it seems, are a way of life in software. There are plenty of other arguments against Microsoft so there's no reason to use this one any more.
Personally I'm still going to use FireFox. It's a better browser than IE and I'm happy that they patched it in a single day. It's a little worrisome that this issue sat around on Bugzilla, hopefully this will motivate the Mozilla team to figure out some procedures to keep security bugs from slipping through the cracks.
Modded up for saying thanks?
Thanks for saying thanks! Thanks!
--
+4 'interesting'
That's why you need Mozilla with that handy "Launch This Page in IE" plugin. Referrer=null.
And this is beta software. It's supposed to be buggy. The fact that IE is in it's 6.x series and still an open porthole to the world while today MozOrg fixed this issue in one day should say enough.
If you think there are any browsers out there that are totally secure, you're bleeding insane.
Slashdot in 5 Paragraphs
It explains the exploit is working with a specific syntax to invoke the program execution and it clearly mentionned the similar behavior for execution exists on W2K, but the syntax is different. Conclusion: The exploit exist only on WXP.
Achille Talon
Hop!
Whilst it's easy to take pot-shots at Microsoft when it comes to IE, their update system isn't too bad. Firefox needs a easy to use mechanism for automatically retreiving and installing critical update, in a manner similar to MS windows update service.
Even better, take a leaf out of Norton's liveupdate program.
Eweek and Slashdot linked to bug 167475, implying that Mozilla developers knew about this hole in 2002. Fixing bug 167475 would have done approximately nothing to protect Mozilla users against the shell: hole in Windows, and that is why bug 167475 hasn't been fixed.
The correct bug number for this hole is bug 250180.
The shareholder is always right.
This is added intentionally so that Mozilla contains all of the features of Internet Explorer.
Oh yes, that's right! I went there.
kyjello is too damn smooth to make a signature.
Well... We could always petition Microsoft to include Firefox/Mozilla in their Windows Update(TM) scheme :)
After that we'll move on to include the Gimp and OpenOffice. Before you can say "global domination" we'll have a perfectly good Microsoft Linux distro and whammo... 99% of the desktop belongs to the penguin.
But then again... maybe not.
Is it still security hole in Mozilla????
Yup. Because Mozilla, as a local application, has a much higher set of privs than a remote website does. This is basically taking code (high-level instructions, but code) from a known insecure zone and telling the OS to run it without any built-in safeguards. And what do you know: we have an exploit.
Here's a fun example of how IE gets it right. Take the URI file:///c:/windows/system32/mspaint.exe from another example on this discussion. Type that into start/run on a Windows box - it works. Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works. Toss that webpage onto a remote server and click on it - it doesn't work any more. Different behaviors for different levels of trust. Mozilla defeats this by passing things to the shell with the same level of trust as the user has given it, the local program, which includes the (necessary) ability to mess with the filesystem.
You're special forces then? That's great! I just love your olympics!
A lot of people have the problem where, even after they've updated to firefox 0.9.1 (or now 0.9.2) the automatic update still says that there is a new update available (annoying).
Here's the fix:
Enter about:config in the location bar.
Enter update.app in the filter field. (Click on Enter)
Reset any prefs that appear in bold.
Restart Firefox.
taken from FireFox support newsgroup. [http://www.mozilla.org/support/]
Microsoft must have known about this hole, since Internet Explorer disallows the shell: protocol. When they found out about this hole, they had three choices:
They went with the second choice.
...they didn't realise at that point that this could be launched without user interaction, that is what was posted to full disclosure - when that was written it was believed that a user had to be fooled into clicking on that link - a whole different ballgame.
True, I think this was something that should have been looked at earlier, but the same day the no-user interaction vuln was posted, there was a fix.
Is there a (proper) fix yet for the download.ject problem? No, even with the temporary "sticking plaster" that microsoft launched onto windows update this week there are still ways to exploit the problem. It will be months until a proper patch that fixes that will be released, if it is ever released at all.
Lets keep things in perspective and in context please.
I am NaN
Which is basically to say:
IE bad because it is integrated into the OS
Moz bad because it calls the OS because it's not integrated
Both are bad. In fact, this is quite bad for Moz, as one of the touted improvements is that not being OS-integrated avoids such issues.
Basically, you're passing on data from the windows URI handler... so it's almost like importing a windows IE/Web insecurity into Moz. Perhaps if Moz just imported the windows URI handlers as a datafile, and stripped out known baddies?
Heretic, YOU MUST BURN!
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Yeah. But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?
Last weekend, I converted three people from IE6 to Moz FF 0.9.1, based on the facts that it's more secure than IE. And now I'm reading that it has a critical issue (whether it is a bug or not, but it is an issue). How to get their machines pached without my intervention? Where is that big red bouncing icon that appears when starting FF, which says that "you need to install this/these updates immediately to keep your machine secure"?
Hello, FF developers! Critical FF updates are not found on windowsupdate.microsoft.com! Where is your own auto-update feature?
“Wait for Hurd if you want something real” –Linus
The developers considered changing from scheme blacklisting to whitelisting, in which case all schemes and protocols would be disallowed unless explicitly allowed.
Duh.
I have been saying this for some time now: Never use blacklists. Always use whitelists.
If you forget to put an insecure operation on a security blacklist, you have a security hole. If you forget something on a whitelist, you just have an inconvenience.
I am disappointed that the Mozilla developers did not have enough common sense to use whitelists in the first place. But then, it seems like most computer security schemes are blacklist-based, which explains why computers are so insecure.
Reading the bugzilla entries for this and related bugs (an earlier post has the bugzilla url for this bug) is interesting in itself.
It shows that the developers well understood the security implications of the bug - but they were also trying to fit the browser into the MS scheme of things in which programs seem (I'm not a windows expert at that level) to be able to register protocols (shell:, vbscript:, irc:) that they get to handle. Disabling this in windows would then lead to Mozilla/Firefox behaving differently than they've come to expect.
It was further pointed out that mozilla could require a "yes" click in a dialog window, but that that would lead to other security issues.
Interesting reading.
And how do you read your slashdot user page? It does not render properly (or sometimes at all) on Konqueror. As well as many other webs, because style engine is broken.
BTW, my Mozilla 1.7/linux on "shell:/bin/ls" says
Alert! shell is not a registered protocol
So, I see no problems with mozilla on linux.
Note, your Konqueror probably has some other obscure protocols, such as system:, settings: or programs: which may render your machine vulnerable by means you can't even imagine. You really should check if they are on just now.
There you are, staring at me again.
It's really not obvious when you go to Mozilla.org that there's a patch available. It should be on the right-hand-side instead of down in the middle of the page on the left-hand side. Also, mozilla.org/products/firefox doesn't tell you there's a patch available!! Hopefully, my email to its webmaster will help fix this soon.
I doubt they will block Slashdotters.
It's less effort, really it is. We now return you, of your own volition, to Windoze hell.
Friends don't help friends install M$ junk.
RTFBug. Since MS decided programs should be able to register protocol handlers (e.g. irc://, telnet://), Mozilla behaves like a good little windows program, and passes any unknown protocols (shell://, vbscript://) to the OS. It's a flaw in the whole setup that windows uses here, and MS changed the behavior for XP SP2.
My server
Try this page: test page
After I installed the patch (without restarting Mozilla), all four example links were available to click on. Clicking on the fourth link, marked "Clicking this could crash your system!!!" did cause Mozilla to go crazy. It kept opening new windows stupidly fast until it crashed.
After it died, I restarted it and went back to the page - now three of the links are completely disabled (I can't even highlight them), and the link that does work (the one with the example iframe exploit) has no malicious effect - the iframe no longer shows the Windows tip but is empty instead.
So my version of Moz clearly wasn't fixed until it had been restarted.
I say we take-off and slashdot the site from orbit... it's the only way to be sure
This is a windows hole, not a Mozilla hole. The Mozilla team has just decided to implement a workaround so the windows hole won't hurt you when using their browser. That is also why it only affects Mozilla on windows and why they debated whether to do something about it for so long.
Download the fix here!
Wow, I should not post when knackered.
Opera long ago decided to *not* pass on any protocol or scheme to the operating system, except for a few well defined cases (ftp, telnet, mailto). Users of Opera 7 can add specific protocols/schemes manually in the prefs if they want.
Lesson of today: there is always a danger in presenting yourself as 'the save alternative'. Proper engineering can reduce risks, but there are never garantees. Not that this example was especially worrying imho: you'd still have to be tricked to visit a specific website that plans to harm you. Not that likely unless you to tend to visit the bowels of the web...
If you don't like having choices made for you, you should start making your own. - Neal Stephenson
It requires clicking on a link in order to execute. MS has plainly addressed this vulnerability when it was a problem in IE, and their solution is the same for Mozilla.
BUT, since I have XP SP2 installed (the latest release candidate), I can ignore 0.9.2 altogether? Or are other bug fixes included in this release?
Having to run a windows site I was once again looking at the ADODB:stream bug and pondering directions to take and look into.
Some of the issues I pondered was if I spent a lot of time ripping out the user access to the none removable IE, and installing either Firefox, Mozilla, or another browser, or a combination of that or similar.
On the browser side, removal of Active X and the IE gubbins brings security, but also none working websites. Perhaps a lot of companies aare going to move back to the standards that form web rather than MS specific technology. I can't blame them, as most people outside tech areas like slash tend to use or aim for market leading pitches. The bulk of users use IE.
That will continue to be the issue, however, looking deeper into this, I looked at machines and figiured I would have to keep IE patched, but in addition, if I role another product or more, I merely add quite possible extra vectors of concern and attack.
All the browsers go through security and exploit issues, at least from time to time. What I settled on was continuing with IE. Its built into windows, there is'nt an easy undo for that.
Somewhere between Sunday/Monday, MS got a patch out. IMHO while this is not perhaps upto the highest levels of OSS error and fix correction, it is'nt bad or horrific.
In the main, so long as they deal with issues quickly and provide answers, I can tolerate them. They are not as bad as some make out.
The history of Mozilla is not as bug free and exploit free as much of the recent comments try to indicate. In truth, we will continue to have security issues with software, and it is how the vendor responds that should be critiqued.
AdmV
We`re all equal
Waiting for the homeland propanganda......errr homeland security to advise us not to use it.
"If any question why we died, Tell them because our fathers lied."
Mozilla does support different levels of trust. For example, a page on a remote website can't create an IFRAME whose SRC points at your local filesystem. A local file can do that. So I don't know what your point is.
This bug is about which Windows HTTP protocol handlers should be trusted. 'shell:' was trusted when it should not have been.
Avant Browser and MyIE 2 are both programs that make use of IE for displaying and both contain tabbed browsing.
-]Phreak Out[-
But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?
Tools -> Options -> Advanced -> Software Update.
To check manually: Tools -> Extensions -> Update.
It's not perfect yet, but remember, it's still 0.9.x, not 1.0.
(Wait, you did want an answer, right?)
This bug report is about executing unknown protocol handlers in other places except . Mozilla has had for a while now, a blacklist of bad protocols that it should not pass to the OS.
With this patch, "shell:" was added--quickly because the infastructure was there.
--Sam
Not only that, but it's a known (almost) ten year old bug in Windows - the use of the same set of handlers for local and remote services - and one I've been trying to tell people about for that long.
Mozilla and Firefox should NOT be using this functionality, they should be doing ALL their own URL parsing and handling on Windows, Linux, Mac OS X, and so on, because they can *not* depend on the native OS to do security right.
Even Apple doesn't do it right (see how they 'fixed' the help: problem), and Microsoft has refused to fix it on their side even under threat of judicial dismemberment.
From the article:
Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows.
The only way to deal with this is ONLY use external handlers you know are safe, rather than using all but the handlers you know have holes in them. Anything else is just following Microsoft's lead into a decade of virus-mania.
Here you go.. an obvious, step-by-step guide.
Don't even need to double-click anything, it installs from inside the browser. No need for self-extracting executables.
I am shocked that everyone here is sticking on Mozilla's side. I love Mozilla, and have used it since the beta versions. I install it on mom & pop computers all the time for security. But this is definitely Mozilla's fault. Mozilla should not pass unknown protocols to explorer. IMHO, that defeats the purpose of Mozilla. That would be like coding Mozilla to pass ActiveX controls to Internet Explorer since it doesn't support them.
I treat Mozilla as a standalone app, and I consider that an advantage. I'm not vulnerable to scripting exploits, MS Office exploits, etc. But now I am told it passes some work to Explorer. I consider that a bug. I don't want it to pass everything except shell: to IE. I want it to pass nothing to IE.
The security exposure is apparently due to the fact that Mozilla, running on MS-Windows, will hand off any "URI scheme" Mozilla does not recognize to the OS. This only happens on MS-Windows. Since Windows may (and indeed, does, by default) know about URI schemes that do things you would not want a web page doing (like run programs), this is considered a problem for Mozilla.
g i?id=163767
d =167475
i d=250180
I have to agree that this is a Mozilla issue. To use a slightly contrived comparison: I read my mail using UW Pine. If someone sends me a script via attachment in email, I do not want Pine to test and see if the interpreter in the she-bang line is available on the host OS. My OS is not my mail reader; I do not want my mail reader allowing everything my OS can do. Ditto my web browser.
There appear to be at least three Mozilla Bugzilla Bugs related to this (likely a lot more):
#1 = Mozilla Bug 163767 (20 Aug 2002)
"Pref to disable external protocol handlers"
http://bugzilla.mozilla.org/show_bug.c
#2 = Mozilla Bug 167475 (9 Sep 2002)
"Disable external protocol handlers in all cases, excluding <A HREF"
http://bugzilla.mozilla.org/show_bug.cgi?i
#3 = Mozilla Bug 250180 (7 Jul 2004)
"Shell: protocol allows access to local files"
http://bugzilla.mozilla.org/show_bug.cgi?
It appears that Mozilla developers have been worried about this kind of problem going back to at least Aug 2002 (see #1 above). #1 talks about an option to disable external protocol handlers (URI schemes) by default. I have to say that would be the right thing to do. "Secure by default" is the correct approach.
#2 talks about an approach that uses context to determine if an external handler should be invokved. Basically, it assumes that if a user clicked a link, they wanted to invoke the handler; anything that happened implictly (such as image loading) should not invoke an external handler. I do agree with those who commented (in that bug) that this is not the right approach. It adds complexity, and it still fails to address the fact that clicking a link is not something that should just up and run anything the web page wants. If I wanted that, I'd use MSIE.
#3 is a reference to the "shell:" URI scheme in particular being abused this way. It blocks the "shell:" scheme to prevent that abuse. It does nothing to prevent abuses of other possible schemes, though. I suspect we may see this "feature" of Mozilla rear its ugly head again in the future.
This is not a failure of Open Source in particular. Nor does it prove Mozilla is crap or Microsoft is okay after all. It means that people make mistakes. This should not surprise anyone. Stop pointing fingers and fix the problem.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
nice, doesn't seem to work though. says there are no updates, or it couldn't find any, something like that. for both methods you suggested (and for several other plugins i've got insalled). anyone else got firefox's auto-update to work?
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
Your analogy isn't quite right... let's think about this another way... you have a plugin you've installed that has a security flaw in it. Is Mozilla (or IE or any other browser) responsible for the security flaw?
The registration of external protocol handlers is common practice across different platforms and browsers. I use OS X primarily at work and at home. I also run Linux here and have a Windows laptop at work. All three platforms use external protocol handlers to register helper applications.
The part that I think is significant is that the OS registered a protocol handler that isn't safe in an internet context. So, you either blame the browser for doing what the OS manufacturer recommends you do... or you blame the fool who wrote the insecure protocol handler (and why the hell would you want a "run any program" protocol handler????)
Sujal
politics, food, music, life: FatMixx
You DO realize that there have been some rather high-profile bugs, malware, exploits, and viruses for Linux (and even BSD), don't you?
And you also realize that, if Gecko had only been put in Free Computing systems, it would have essentially rotted away to nothingness years ago.
Of course, you're also completely ignoring the amazing PR spin Mozilla is for Open Source. Sure, it has a bugs and holes--but those bugs are publicly filed, honestly reported, and fixed in a VERY timely fashion.
(Then again, you're comparing Free Computing and pregnancy.)
Yeah. But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?
The French word à is spelled with a grave accent, rather than an acute one. If you're going to spell things like a smartass, at least get them right.
I hereby place the above post in the public domain.
Here's a fun example of how IE gets it right
That depends. While what you say is true, and it does not execute it also shows a lot about the thinking at MS. Mozilla hands off protocols to windows in a simplistic way because it is not a part of the OS - just as any other program does. IE by contrast has the concept of zones, and each zone has certain things which may be allowed or disallowed depending upon various security levels. This makes the IE security model much more complicated than it should be, and for most people hard to understand. And there has been more than enough problems with IE being confused as to which zone it's in, and enough exploits taking advantage of it.
Mozilla's fix is simple because what it does is simple. I'm not apologizing for the mozilla team here, and in fact I think it's sort of pathetc they just let this problem lay around for 2 years instead of just disabling the shell protocol to begin with. But if IE does anything right, it certainly is NOT the concept of security zones.
for FireFox:
1. type "about:config" in your url bar
2. Find "network.protocol-handler.external.shell"
3. Change value to false
Thats all that you need to do to fix it.
Never Smoke A Banana.
Is there some way I can disable them all?
Request your free CD of my piano music.
Also, if you RTFA, you'd realise this was supposed to have been fixed in a Windows service pack, but isn't.
So yes, I blame microsoft :)
Problem doesn't exist on any other OS running firefox...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
ya ya ya, keep talking and prove my point more.
....
You are saying that the program that receives the malicious command should just blindly pass it along to windows, pass the buck, who cares about the consequences.
But when a MS product does anything like this all hell breaks loose, that the attack should have been prevented where it was received, not down the line.
warning, an analogy follows this statement, all analogies are inherently imperfect but I'm sure you will manage to get the damn point
Would you keep a firewall up that although secure in some ways, still simply passed an obvious very high risk command onwards for the operating system to deal with? umm do I even have to say the word NO?
But its OK, its an open source product, so passing the buck on is not considered evil the way it would be for an MS product.
Open your eyes, its a case of the open sourcers being totally unable to admit there could possibly be an 'MS style' fault with one of their products.
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
Because shell: doesn't exist on Linux.
shell: is like any other protocol, such as http: or ftp:. What Necko (the networking part of Mozilla) does is if it doesn't recognize the protocol, it asks the OS. Windows recognizes shell:, and lets it do pretty much anything. None of the other OSs recognize it, which is why this only affects Windows
There are 11 types of people in the world: those who can count in binary, and those who can't.
There are two programs: one is the OS, the other is a user program, connected to the internet. There are four possibilities for (this part of) how they interact:
Neither of them checks to see if the input is coming from a trusted source Obviously bad, as was the case here Just the user program checks to see if the data is trusted Provides the security, but means this has to be implemented in every single user program Just the OS checks to see if the input is trusted Provides security, and only needs to be implemented once Both the OS and the user program check to see if the input is trusted Redundant, though arguably more secureIf you're paranoid, you should have both of them check to see if the data is trusted, otherwise just the OS should check.
My diagnosis is that this is a severe bug in Windows and is Microsoft's fault, however, since it was there, Mozilla should have blocked it from showing up.
The fact that once they realized it could be a problem they did block it is only a good thing.
There are 11 types of people in the world: those who can count in binary, and those who can't.
"Take the URI file:///c:/windows/system32/mspaint.exe Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works"
C urre ntVersion\Internet Settings\Zones\0
Doesn't work on mine. I see VERY few good reasons to need to be able to launch/download applications (or download fonts and run active script etc) from a local html page and thus I have disabled those options in the My Computer zone. I've also set things up so that copying and pasting gives me a prompt too.
Change the Flags to 1 in
HKEY_CURRENT_USER\Software\Microsoft\Windows\
And the My Computer zone becomes configurable.
However do note that windows explorer seems to rely on activex or active scripting IF you are not using the classic view.
Originally IE did the same thing as Mozilla does now, this was once identified as a bug/security issue, and then it was fixed in IE itself, not in Windows.
So others that have the same problem need to be fixed independently. This has now happened.
To know if IE really does not pass shell: urls, type one of these in your address bar:
shell:windows
shell:cookies
Of course, you're also completely ignoring the amazing PR spin Mozilla is for Open Source. Sure, it has a bugs and holes--but those bugs are publicly filed, honestly reported, and fixed in a VERY timely fashion.
I really hope that if the mainstream media does stories on this they will make it clear that:
1. This is not a problem with the browser, it is a problem with the OS
2. The problem with the OS was alegedly fixed by a previous MS patch... except it wasn't - MS obviously don't test their patches.
3. Even though it was not Mozilla's own problem they still jumped and fixed it within a day of the report.
4. Microsoft knew about the latest IE hole 10 months before it was exploited and still did nothing about it.
http://blog.nexusuk.org
While surely this is a Windows bug, as is a normal procedure to pass to the OS the unknown protocols, Mozilla shouldn't really care of rtsp://, mirc://, and what not protocols. There are apps designed to handle that, and they register as helper apps for those protocols, so why Mozilla shouldn't trust them? How would Mozilla ever imagine there was a shell:// protocol? On the other hand it should probably do a white list of common protocols and issue a warning when clicking on an unknown one. If the user is just going to click OK on whatever he see, it becomes user's fault. The white list shouldn't be required, but it is in the moment you interact with components you don't know about. Think if they make a silent work registering for the URIs imaworm:// allowing attackers to do almost anything and the user wouldn't know if he doesn't see any significant slow-down, data loss, until they go on a malicious page. A browser shouldn't really whitelist anything more than http://, ftp://, rtsp:// and mailto. All the others should be user choices
most of the answers modereated up around here are only wishful thinking .. people just love to fool themselves into "firefox is safer", no matter what ...lets see some samples
-- Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. ... plus this is like saying : i know i eat approximately the same shit as the other party, but im way better because mine gets no attention.
i wont bet a single cent on that
-- This incident underscores why many use or have switched to Firefox: vulnerabilities discovered and promptly fixed. Not weeks and months from their publication--and not by another vendor--this exploit was addressed by those who have made available Mozilla's code for public scrutiny.
as Microsoft demonstrated in maaaaaaany occasions, IT DOES NOT MATTER how fast you release the patch.
-- This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows. .. but it sounds like : i live in an appartment building and its administrator's fault that any burglar can break into my appartment bare handed... so easy to blame "the other guy"
it may be so
and so on.. and so on. ... i use it since the first version and this week i got the first pop-up and pop-under windows that somehow managed to slip through firefox' block mechanism ... and now this embarrasing flaw .. sadly, it seems that going mainstream its enough to evaporate the "security" of ANY application.
going mainstream was not exactly benefic to firefox
"There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe
This is off-topic, but nonetheless should be of interest to mozilla users who are forced to use Outlook at work. Even more so for people who use linux at work and are forced to access email via Outlook Web Access (sob!).
Mozilla support for exchange servers (without IMAP) looks like it should now be implementable.
Bug 128284
Please vote for this bug if you desperately _desperately_ (like me!) need support for exchange!
Y'see, the problem is that statements like that just don't have any credibility left when you're looking at vulnerabilities like this. The bug in question is a "complete wipe-out" style vulnerability. The issue was known by the Moz dev team years ago, and they decided it was WONTFIX. Yet even IE fixed this one a while back.
The problem here is not the specific bug, it's the attitude/lack of awareness demonstrated by the Mozilla dev team when faced with a critical vulnerability. The attitude of so many people in this thread -- "It's a Windows fault, not our precious Mozilla!" -- is almost as scary.
Sorry guys, the honeymoon's over. Mozilla can crash, can take out all your stored e-mail, can be exploited to damage the rest of your system, and doesn't get fatal security flaws fixed for years, just like IE. It may still be a better product, but there's no mileage left in claims that it will always and necessarily be so.
BTW, assuming there are no exploits out there for this vulnerability is staggeringly naive. Just because no widespread worm/virus-style exploits are known doesn't mean it hasn't been used by the geek who disliked the other guy down the hall or by the company emloyee wanting a quiet raise.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
let's think about this another way... you have a plugin you've installed that has a security flaw in it. Is Mozilla (or IE or any other browser) responsible for the security flaw?
Look though my comment history and see what I think of plugins. (hint, they suck)
Yes, this is a mozilla problem. Here is the deal. When you develop an application where anyone in the world has input to that program you check the input for valid data and reject anything that is not valid. Period.
A uri handler called shell:// is stupid. Thats as if your leaving an open rsh or ssh port with no password. Again, this is the first time I've heard of such a handler, and I don't know exactly what it does or is supposed to do but the fact that its called shell tells me that its not something that belongs on an internet application. Name me one more network application that would accept arbitrary commands without a password to be run on a computer. Just one.
We agree about the stupidity of a shell:// handler... but Mozilla didn't provide it. I'm not sure what "valid data" they should be checking for here... the only thing I see at this point is that they need to start maintaining a black list of protocol schemes... Of course, if a particular bit of spyware/adware becomes popular, for example, they'll just be chasing down changing schemes.
Sujal
politics, food, music, life: FatMixx
Either go all the way to changing the OS AND the browser, do the right thing, all the way,or don't bother, it's naieve wishful thinking and at best a finger in the dike stopgap measure to try and make windows "secure" on the internet, and at best an incredible waste of time and resources in the OPEN source coding community.
I totally disagree with you. As a user that is stuck on an XP platform because where I work I have no say (and I am far from alone here!), I am absolutely overjoyed that the coding community "wastes" its time and resources to allow me to use my home browser at work. Last time I checked, the community was not out to "make windows 'secure'," but was instead out to make good software for people to use freely. Granted, I am probably starting another flamewar here (which free, blablabla), but I think you need to leave it to the people doing the coding to decide how to spend their time and energy and not foist alternate agendas upon them.
What arrogance.
/", would you also blame the inventor of the rm program? Or how bout the shell? Maybe the OS? *smirk*
Does IE have this bug?
If not, it's a FIREFOX BUG...aka, it's a serious security flaw the Firefox browser has that other browsers due not.
As a matter of fact, the shell: bugs have plagued IE - this is a bug with the operating system that needs to be fixed at the source rather than _every single_ internet application needing a workaround.
I'm sure the typical arrogant "Firefox is impervious" argument will reign on Slashdot though..
I would never suggest that any software is completely secure - any programmer who believes otherwise is not worth employing. However, there is "less secure" and "more secure" - IE is a very insecure browser built ontop of (into) a very insecure operating system (mainly because MS take so long to fix problems after they've been discovered). Mozilla, FireFox, Opera, etc are reasonably secure browsers. Of course if you run an insecure OS then that compromises the security of everything running on it and there is only a limited amount of work those applications can do to correct for this.
The only real advantage Firefox has over IE is that it's more _defaultly_ secure.
Most of the people who get hit by the security problems are the people who do not know anything about security - they're the people who won't be selecting and deselecting options. Those of us who tweak the config ourselves are the reasonably safe ones so the default should be security. Additionally, installing ActiveX is a really stupid thing to do as it is the single biggest security hole in IE and is infact listed on the FireFox feature list as a security improvement by *NOT* running it.
Windows flaw...pish...if I put something in my browser that was capable of calling "rm -rf
Windows holds a register of all the programs that can handle various internet protocols. Someone saw fit to add "shell:" to that register - whoever that was is to blame (and it sure as hell wasn't the browser)
http://blog.nexusuk.org
Presumably it also affects the Netscape browser assuming Netscape is based on Mozilla, and Mozilla is a version 7 browser, IIRC?
Backup not found: (A)bort (R)etry (P)anic
var prefs = Components.classes[ "@mozilla.org/preferences-service;1" ]
prefs.setBoolPref( "network.protocol-handler.external.shell", false );
prefs.getBoolPref( "network.protocol-handler.external.shell" );
Note:
-- wil
IE (version 6.0.2800.1106.xpsp2.030422-1633 (not kidding, that's what it says), which appears to be the latest version (no patches pending in the update utility)) opens shell: URIs. So the answer to your question is YES, IE has this bug