Slashdot Mirror
Firefox Quickies
First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar2 extension.
Demonstration
Cmd.exe
This should launch cmd.exe....
Notice that you must click that link from internet explorer, firefox will warn you that an external application is being called.
above example taken from here
NewslilySocial News. No lolcats allowed.
There are some sites that don't work with Firefox.
Hell, I've got Firefox on my WIndows system (but Opera is my main browser,) and I usually end up using IE for some sites.
Sorry, can't try it right now as I'm on Ubuntu (Feisty Fawn). But I'll look into it tomorrow when I get to work.
Firefox crashes for you? Read the MozillaZine Knowledge Base article about Firefox crashes and you can probably fix your problem.
What a fool believes, he sees, no wise man has the power to reason away.
Windows only http://blog.mozilla.com/security/2007/07/10/securi ty-issue-in-url-protocol-handling-on-windows/
"Steve Jobs invented the world" -- Bill W. GATES
"virii" is not a word. It's viruses.
http://en.wikipedia.org/wiki/Virii
Open Windows Exporer (not Internet Explorer) and from the Tools menu select "Folder Options" menu. On the dialog that appears select the "File Types" tab.
Now in the list of registered file types find the one that says:
"(NONE)" for extension and "Firefox URL" for file type
Select it and click on delete button to delete it.
Click on "OK" to close the "Folder Options" dialog.
As the island of our knowledge grows, so does the shore of our ignorance.
Firefox will warn you if a program tries to use other protocols. It will allow you to suppress the warning, however, which can cause the same problem as IE, but at least you can't say you weren't warned. So from this POV, it is IE's problem moreso than Firefox's, especially when it's considered that the URLs can't do anything from WITHIN Firefox, and that (I haven't checked this, just heard it somewhere) the protocol was requested by MS for some Vista compatibility thing or some such nonsense. Not sure if there's anything to that.
However, on the flip side, anyone who implements a protocol needs to be aware any web page can invoke the protocol at will, without the consent of the user (well, thanks to IE's "standards"). This results in being able to do things like this. This webpage redirects the browser to steam://open/main, which will open the main Steam window. The user never sees the actual url. This could work with the firefoxurl protocol as well. Here are some other things that can be done, some of the uglier ones have confirmation screens I believe, but launching a game or connecting to a server does not. Note the first one which promises that it can redirect command line arguments, just like firefoxurl... however I cannot get that to work (I tried -shutdown and it just focused the main window like my current sample does). Also note the hackish steam://openurl/, which is designed to allow Steam's built-in IE browser to invoke the computer's default browser. Theoretically this could be used to bypass a popup blocker.
Of course it would appear that Steam at least can't run arbitrary programs and is limited to it's own folder in terms of effects (I could force you to join my UBER LAME COUNTER STRIKE SERVER but that's about it).
I think both Microsoft and Mozilla need to take steps to fix this problem. Microsoft needs to improve external protocol handling to at least what Firefox does (Firefox could even secure its own handling more, but that might detract too much from the flexibility. Not that that's stopped anybody before). Mozilla should remove this silly firefoxurl bit. I can't think of any legitimate reason for it (anyone have any clue?).
As for Valve with Steam... steam://openurl/ is a bit much I think. It's expected for users who don't know what MSHTML or ActiveX are to think it's a bug that external windows open in IE, but us devs know that, internally, IE is just spawning a new window for a page. Since when were you browsing the web in IE and click on a link and it popped open in Firefox? I wouldn't want that to happen if I preferred IE! (Yeah... firefoxurl is definitely useless.) I mean, can't Valve say that because Steam uses Internet Explorer internally for the Store, all launched webpages will appear in Internet Explorer and there's no way around it? Eh probably not. The technically inclined probably think everything is great now and wouldn't care if anyone told them Valve used a hackish and possibly unsafe solution.
Although at the least they could use a whitelist for urls to use for openurl... IE steampowered.com and whatever other sites they link to... although considering the number of third party games being added it could be a largish list. :(
Perhaps steam could kick the steam:// thing entirely, but the only alternative I can think of is an Internet Explorer BHO (ick, not worth the trouble IMO), unless they can do something fancy with javascript or java or flash or something.
Here's a bonus for reading all this: You can see what available protocols Windows / Internet Explorer can use (Firefox too, although it has its own extras like about: and data:) by checking HKEY_CLASSES_ROOT in regedit. Search for Values with the exact name of "URL Protocol" and the keys you find (or maybe it's in the default value?) are the protocol names. With a look it can be easy to figure out how
Internet Explorer protected mode in Vista puts IE running at the "low integrity" level meaning it can only access a very limited number of folders (for example the temporary internet files folder). At the low integrity level it is very difficult to actual exploit a machine as you don't have the rights to access much.
You're correct. Protected mode means something different in this context.
Nowhere near as much fun as handling triple faults in your assembly code!
After reading about "firefoxurl" and what it does, I only have one simple question: what on earth were they thinking when they implemented it? What's it supposed to be useful for?
As far as I can tell, the only use it could possibly have is creating desktop URLs that always open in Firefox, however there's no reason why they would have to create a URL handler to do that. Otherwise, it's completely worthless and, as discovered, a security risk, to boot.
For added fun, attempting to use a "firefoxurl" URL while Firefox is already running creates an infinite loop. (It just keeps on asking you to allow an "external application" to launch. It doesn't even seem to actually work. I get the same results when launching it directly from IE through the address bar.)
Why was this implemented? What was it supposed to do?
And, for bonus points, is it possible to write a firefoxurl that, when opened in IE, would unregister the firefoxurl handler?
You are in a maze of twisty little relative jumps, all alike.
I did this on XP as well. You can always remove the FirefoxURL entry from the registry located at
.reg file, should you ever want to put it back.
.reg file you saved.
HKEY_CLASSES_ROOT\FirefoxURL
So, go to start Run, type regedit and navigate to this key. Right click on it and choose Delete.
Of course you could also export the entry and save it in a
To put it back, just double click on the
As the island of our knowledge grows, so does the shore of our ignorance.
If you try it on Vista with UAC turned on, it'll fail -- or, at least, it'll give you a warning dialogue (one of these ) -- due to IE's protected mode, which is part of UAC (quick summary: IE runs as an even lower integrity token than normal users, and need privilege elevation to a normal user token to do things like write to anywhere other then temporary internet files and access other programs on the computer -- in this case, Firefox).
What's purple and commutes? An Abelian grape.