Firefox Quickies

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar² extension.

What OS

[jshriverWVU]

Every once in a while I see posts about Firefox or IE or whatever with a security flaw that allow remote access or malware/virii to be installed. But they never say what System it affects. Granted for IE it's pretty simple, but once you add firefox into the equation you have to wonder does this effect Linux too? Even so if the bug is in the linux firefox version, does it really matter at a system level, as many sites that might use this bug are going to be geared toward Windows users.

Granted if it's a bug it needs fixed regardless, but I would be more shocked if it said "allows a person to gain remote access on ALL systems running said software".

Re:What OS

[suv4x4]

But they never say what System it affects. Granted for IE it's pretty simple

Is it. Most exploits that would work on XP wouldn't work on Vista in protected mode.

Re:What OS

[Red+Flayer]

The exploit has firefox as a dependency, but is actually called from IE.

So what you're saying is that if you have IE installed on your computer[1], it is a security risk to install Firefox?

Are we *sure* this is a bug, not a "feature"?

Right now, somewhere in Remdond, someone is planning a press release...

[1] By extension, if you are one of the 97.46% of desktop users worldwide with Windows installed.

Re:What OS

[fatphil]

You obviously don't understand how shells work. The bug is between IE and the shell. IE passes an untrusted string to the shell, the shell creates a command line to execute, and the shell executes it. There is _absolutely_nothing_ that firefox could do to prevent this exploit, apart from not registering such a scheme handler at all. All such registered scheme handlers are equally vulnerable from this IE bug, not just firefox.

Opera is perfectly capable of escaping characters that have meaning to the shell before passing the string to the shell to build the command line. Whether it does so is another matter. I don't have a windows machine on which to try. If it doesn't, then it's an Opera bug as well as an IE bug.

Re:Opera

[wile_e_wonka]

I'm not sure this wouldn't work on Opera if written specificaly for it (which does still reveal a benefit of Opera--people don't usually think to write code exploiting Opera. It just isn't economical to do so). The reason I say this is because, when I click on the link above, Opera asks if it can open FF. This does not end up being detrimental because then I just end up with FF asking me if it can open FF (instead of asking to open cmd.exe). However, if the exploit were written for Opera, then I imagine Opera would have asked me if it could open cmd.exe instead of FF. With all the people out there who just click "ok" to everything that pops up on their computer (i.e., my wife, despite my attempts to teach her otherwise), this could be a workable exploit.

As for Opera on Feisty--it looks ok to me. The font is different from that in Windows but nothing "whacked up."

Firefox's Fault?

[DavidD_CA]

Here's the meat of the article:

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// http:/// or similar would call other applications."

But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.

An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.

I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?

If Windows/IE were to filter what can and cannot happen through URI handlers, I could see developers crying foul for preventing access and locking out competition.

Further, is the onus now on Microsoft to fix a hole created by Firefox? And once they fix it, and legit things break because of it, who's fault will that be?

Highlighting phishing sites is nice, but weak

[Animats]

Just highlighting domains of phishing sites isn't going to be enough. Here's today's list of domains that "sort of look like Paypal". These are after subdomain truncation.
"paypal-checker.com"
"paypal-contact.net"
"paypal-customize.com"
"paypal-erreur2.com"
"paypal-security.com"
"paypal-web-dll-scrnupdateaccount.ici.st"
"paypal-web-scrn-dll-pl-dai-pl-webscrndllfs-wertyu i.ork.pl"
"paypal.powered.at"
"paypal.q.fm"
"paypalaccverify.com"
"paypalcomcgibinwebscrcmd.by.ru"
"paypalcomcgibinwebscrcmm.by.ru"
"paypalcomcgibinwebscre.by.ru"
"paypalconstomers.com"
"paypalct.com"
"paypall.ro"
"paypalmd.com"
"paypalobjects.us"
"paypalsecuritycenter.org"
"paypalverification.org"
"paypel-acc-5.com"
"paypilpal.com"
"paypll-wscr.com"
"paypluspl.com"

These are from PhishTank, which blacklists at the URL level based on manual reports. For SiteTruth", we're in the process of converting to blacklisting phishing sites by the entire base domain. That's because we now see hundreds of entries like "session-624333.nationalcity.com.userpro.tw", which has to be treated as a bad indicator for all of "userpro.tw".

There's collateral damage. There are days when "tinyurl.com" and "notlong.com" get blacklisted, because phishing sites use them. MSN gets complaints about this. Today, anybody running something like "tinyurl" needs to continually check the phishing databases for attempts to abuse their service, or their own reputation is toast.

Re:Firefox's Fault? (NO, BOTH's Fault - Read on)

From Arstechnica: http://arstechnica.com/journals/microsoft.ars/2007 /07/10/firefox-and-internet-explorer-team-together -for-critical-vulnerability

Thor Larholm, the researcher who discovered the flaw, insists that the blame falls on the back of Internet Explorer. "Firefox is the current attack vector but Internet Explorer is to blame for not escaping quote characters when passing on the input to the command line." He also notes that Internet Explorer behaves similarly with other handlers. "Internet Explorer doesn't filter the input for the irc:// or aim:// URL protocol handlers either. The exploitability on those depend on what arguments each application accepts."

The director of Symantec's Security Response Center, Oliver Friedrichs, believes that both browsers should share the heat. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

Whats the fuss about?

[cybergen007]

I do not get waht the fuss is all about. If firefox is started from IE that has to ring a bell. Second I get a warning from Firefox that it wants to start an external application and I can click no and nothing happens. I have never before seen that question from firefox so I have run into a website that uses this vulnerability. Beside this happens when you are surfing using IE. If you surf using IE then you are asking for problems in the first place.

Re:Laughing? A less happy feeling

[valintin]

If the dialog is that common I wonder how many people are going to automatically accept running this because they are constantly annoyed by the pop-up?