Firefox Quickies

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar² extension.

Demonstration

[blhack]

Demonstration

Cmd.exe
This should launch cmd.exe....

Notice that you must click that link from internet explorer, firefox will warn you that an external application is being called.

above example taken from here

Re:Demonstration

[froggero1]

Weird, I get an error message:

"Iceweasel doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program."

and when I try to open this "ie" program:

"~ $ ie
bash: ie: command not found"

maybe there's something wrong with your operating system?

Re:Demonstration

Hey, 1996 called, and they want their snooty, elitist, linux user tude' back.

Re:Demonstration

[dwarfsoft]

Weird. On windows, with Firefox 2.0.0.4, and clicking on the cmd.exe launcher on the page that you linked to (and by creating my own html page) It just opens a blank tab. cmd.exe isn't launched.

Firefox 2.0.0.4 and IE6.

Doesn't even work from IE, just loads a blank tab in firefox. I guess I must be doing it wrong :D

Re:Demonstration

yes and we still have reasons to laugh at windows.

Re:Demonstration

[Frizzle+Fry]

It's only supposed to work if you don't already have firefox open (and then you click the link in IE).

Re:Demonstration

[fatphil]

Yes, yes. This is an _IE_ bug, not a firefox bug. (I think you probably knew that though, but the people who wrote the summary and added tags certainly seem ignorant of that fact.)

Firefox just does what you tell it, and 'you' in this case is an IE which doesn't escape characters that have a meaning to the shell that is going to execute the command. So it's IE pwnx0ring (is that how you spell it?) the *shell* to get it to execute firefox with arbitrary parameters. I'd be willing to bet that there's a way to get it to execute arbitrary commands, not just firefox. I don't do WinDOS, but the unix equivalent would be something like

    "; /bin/arbitrary command ; echo "

At times I wish I actually had a windows machine to try these things out on. :-|

Phil

Re:Demonstration

[Giorgio+Maone]

Firefox users with the NoScript extension installed have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" since June, the 22th, see NoScript changelog.

More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means, thus these features are meant to stay in place even after Firefox 2.0.0.5 with its commandline-specific fix is released.

Re:Demonstration

[Goaway]

Actually reading the announcement, this seems very much like a Firefox bug, namely in the URL handler it installs. It's IE that's just doing what you tell it, to open an URL that happens to use an external URL handler.

Re:Ok....

[bhtooefr]

There are some sites that don't work with Firefox.

Hell, I've got Firefox on my WIndows system (but Opera is my main browser,) and I usually end up using IE for some sites.

Re:What OS

[blhack]

well...if you read the article you would find that this bug effects Internet Explorer users, not firefox users. The exploit has firefox as a dependency, but is actually called from IE.

Re: Firefox crashes

[bunratty]

Firefox crashes for you? Read the MozillaZine Knowledge Base article about Firefox crashes and you can probably fix your problem.

Re:What OS

[netdur]

Windows only http://blog.mozilla.com/security/2007/07/10/securi ty-issue-in-url-protocol-handling-on-windows/

Free Diease. Now pay for the Cure.

[BillGatesLoveChild]

Firefox hasn't released a fix for this, and there is no mention of it on their web site.

Now this blows:

http://secunia.com/advisories/25984/
> Solution:
> Do not browse untrusted sites.
> Disable the "Firefox URL" URI handler.

The first is impractical. The second begs the question, "Sure, How?" Read on:

> Extended Solution:
> The "Extended Solution" section is available for Secunia customers only.
> Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.

So these guys are publishing zero day security flaws, then making you reach for your credit card. Very grubby.

The CNET article doesn't tell you what the fix is either. Google has nothing. Anyone?

Re:What OS

[suv4x4]

But they never say what System it affects. Granted for IE it's pretty simple

Is it. Most exploits that would work on XP wouldn't work on Vista in protected mode.

Here's how...

[mario_grgic]

Open Windows Exporer (not Internet Explorer) and from the Tools menu select "Folder Options" menu. On the dialog that appears select the "File Types" tab.

Now in the list of registered file types find the one that says:

"(NONE)" for extension and "Firefox URL" for file type

Select it and click on delete button to delete it.
Click on "OK" to close the "Folder Options" dialog.

IE problem, but also Firefox problem.

[The+MAZZTer]

Firefox will warn you if a program tries to use other protocols. It will allow you to suppress the warning, however, which can cause the same problem as IE, but at least you can't say you weren't warned. So from this POV, it is IE's problem moreso than Firefox's, especially when it's considered that the URLs can't do anything from WITHIN Firefox, and that (I haven't checked this, just heard it somewhere) the protocol was requested by MS for some Vista compatibility thing or some such nonsense. Not sure if there's anything to that.

However, on the flip side, anyone who implements a protocol needs to be aware any web page can invoke the protocol at will, without the consent of the user (well, thanks to IE's "standards"). This results in being able to do things like this. This webpage redirects the browser to steam://open/main, which will open the main Steam window. The user never sees the actual url. This could work with the firefoxurl protocol as well. Here are some other things that can be done, some of the uglier ones have confirmation screens I believe, but launching a game or connecting to a server does not. Note the first one which promises that it can redirect command line arguments, just like firefoxurl... however I cannot get that to work (I tried -shutdown and it just focused the main window like my current sample does). Also note the hackish steam://openurl/, which is designed to allow Steam's built-in IE browser to invoke the computer's default browser. Theoretically this could be used to bypass a popup blocker.

Of course it would appear that Steam at least can't run arbitrary programs and is limited to it's own folder in terms of effects (I could force you to join my UBER LAME COUNTER STRIKE SERVER but that's about it).

I think both Microsoft and Mozilla need to take steps to fix this problem. Microsoft needs to improve external protocol handling to at least what Firefox does (Firefox could even secure its own handling more, but that might detract too much from the flexibility. Not that that's stopped anybody before). Mozilla should remove this silly firefoxurl bit. I can't think of any legitimate reason for it (anyone have any clue?).

As for Valve with Steam... steam://openurl/ is a bit much I think. It's expected for users who don't know what MSHTML or ActiveX are to think it's a bug that external windows open in IE, but us devs know that, internally, IE is just spawning a new window for a page. Since when were you browsing the web in IE and click on a link and it popped open in Firefox? I wouldn't want that to happen if I preferred IE! (Yeah... firefoxurl is definitely useless.) I mean, can't Valve say that because Steam uses Internet Explorer internally for the Store, all launched webpages will appear in Internet Explorer and there's no way around it? Eh probably not. The technically inclined probably think everything is great now and wouldn't care if anyone told them Valve used a hackish and possibly unsafe solution.

Although at the least they could use a whitelist for urls to use for openurl... IE steampowered.com and whatever other sites they link to... although considering the number of third party games being added it could be a largish list. :(

Perhaps steam could kick the steam:// thing entirely, but the only alternative I can think of is an Internet Explorer BHO (ick, not worth the trouble IMO), unless they can do something fancy with javascript or java or flash or something.

Here's a bonus for reading all this: You can see what available protocols Windows / Internet Explorer can use (Firefox too, although it has its own extras like about: and data:) by checking HKEY_CLASSES_ROOT in regedit. Search for Values with the exact name of "URL Protocol" and the keys you find (or maybe it's in the default value?) are the protocol names. With a look it can be easy to figure out how

Re:IE problem, but also Firefox problem.

[BZ]

> I can't think of any legitimate reason for it

It's a protocol scheme Windows makes up based on the registry keys Firefox has to set to get things like http: associated with it.

To be more precise, what Firefox does is:

    register HKLM/SOFTWARE/Classes/FirefoxURL with a shell/open/command
    subkey and then set the values of ftp, gopher, http, and https to
    FirefoxURL under HKLM/SOFTWARE/Clients/StartMenuInternet/FIREFOX.EX E/Capabilities/URLAssociations

This causes Windows to send "firefoxurl:" URLs to Firefox.

Not much to remove here on Mozilla's end.

Re:What OS

[GIL_Dude]

Internet Explorer protected mode in Vista puts IE running at the "low integrity" level meaning it can only access a very limited number of folders (for example the temporary internet files folder). At the low integrity level it is very difficult to actual exploit a machine as you don't have the rights to access much.

Re:Kdawson...

[Farmer+Tim]

That's the new text format randomizer , w'hic'h optionall'y add's inap'propriate a'p'o's' t'r'o'p'h'i'es .

It was added a couple of months ago to settle a bet whether Slashdot's editors are better than a random number generator (as yet no winner has been declared).

Re:What OS

[StupiderThanYou]

well...if you read the article ... If you who the what now?

Re:What earthly use is "firefoxurl" anyway?!

[_xeno_]

Except that's still retarded, since it's by definition a remotely executable code exploit. URLs don't have to be loaded by users, and in some cases, can even be loaded without any user interaction. (<meta http-equiv="Refresh"> comes to mind, although I haven't gotten the exploit to work on my system yet).

XUL applications have access to basically everything on the system. You know how you can launch files from the Firefox's Downloads window? There's nothing that prevents a skeleton XUL application from downloading a EXE and then launching it with no user interaction. The dialog that Firefox displays when launching executables is handled by the download dialog, there's nothing that requires it be displayed. (I've written an extension that launched a Windows Control Panel applet before, trust me that there's nothing really preventing XUL applications from being nasty.)

So I'm still left wondering, what was this intended for, and who thought it was a good idea?

Firefox's Fault?

[DavidD_CA]

Here's the meat of the article:

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// http:/// or similar would call other applications."

But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.

An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.

I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?

If Windows/IE were to filter what can and cannot happen through URI handlers, I could see developers crying foul for preventing access and locking out competition.

Further, is the onus now on Microsoft to fix a hole created by Firefox? And once they fix it, and legit things break because of it, who's fault will that be?

Re:Firefox's Fault?

[BZ]

> I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer

Firefox set up the http: protocol and such to launch it. Windows synthesizes a new URI scheme based on the registry key name used for this and associates this made-up scheme with Firefox. Not much Firefox can do about this Windows "feature".

Highlighting phishing sites is nice, but weak

[Animats]

Just highlighting domains of phishing sites isn't going to be enough. Here's today's list of domains that "sort of look like Paypal". These are after subdomain truncation.
"paypal-checker.com"
"paypal-contact.net"
"paypal-customize.com"
"paypal-erreur2.com"
"paypal-security.com"
"paypal-web-dll-scrnupdateaccount.ici.st"
"paypal-web-scrn-dll-pl-dai-pl-webscrndllfs-wertyu i.ork.pl"
"paypal.powered.at"
"paypal.q.fm"
"paypalaccverify.com"
"paypalcomcgibinwebscrcmd.by.ru"
"paypalcomcgibinwebscrcmm.by.ru"
"paypalcomcgibinwebscre.by.ru"
"paypalconstomers.com"
"paypalct.com"
"paypall.ro"
"paypalmd.com"
"paypalobjects.us"
"paypalsecuritycenter.org"
"paypalverification.org"
"paypel-acc-5.com"
"paypilpal.com"
"paypll-wscr.com"
"paypluspl.com"

These are from PhishTank, which blacklists at the URL level based on manual reports. For SiteTruth", we're in the process of converting to blacklisting phishing sites by the entire base domain. That's because we now see hundreds of entries like "session-624333.nationalcity.com.userpro.tw", which has to be treated as a bad indicator for all of "userpro.tw".

There's collateral damage. There are days when "tinyurl.com" and "notlong.com" get blacklisted, because phishing sites use them. MSN gets complaints about this. Today, anybody running something like "tinyurl" needs to continually check the phishing databases for attempts to abuse their service, or their own reputation is toast.

Whats the fuss about?

[cybergen007]

I do not get waht the fuss is all about. If firefox is started from IE that has to ring a bell. Second I get a warning from Firefox that it wants to start an external application and I can click no and nothing happens. I have never before seen that question from firefox so I have run into a website that uses this vulnerability. Beside this happens when you are surfing using IE. If you surf using IE then you are asking for problems in the first place.

Laughing? A less happy feeling

[Futurepower(R)]

I wouldn't call it laughing. "You are coming to a sad realization. Cancel or allow?"

"If you've used Windows Vista for more than 3.7 minutes, you know what UAC (User Account Control) is.. it's the obnoxious, nagging popup window that will be your life for the next 3-5 years... Note: Disabling UAC will lead to a less secure system, so be warned. -- The How-to Geek

Re:Laughing? A less happy feeling

[SEMW]

You are coming to a sad realization. Cancel or allow? It's rather ironic that you're positing that in this thread, since UAC actually prevents the exploit that TFA's talking about.

If you try it on Vista with UAC turned on, it'll fail -- or, at least, it'll give you a warning dialogue (one of these ) -- due to IE's protected mode, which is part of UAC (quick summary: IE runs as an even lower integrity token than normal users, and need privilege elevation to a normal user token to do things like write to anywhere other then temporary internet files and access other programs on the computer -- in this case, Firefox).

Re:Regenerated on FF start

[mario_grgic]

I did this on XP as well. You can always remove the FirefoxURL entry from the registry located at

HKEY_CLASSES_ROOT\FirefoxURL

So, go to start Run, type regedit and navigate to this key. Right click on it and choose Delete.

Of course you could also export the entry and save it in a .reg file, should you ever want to put it back.

To put it back, just double click on the .reg file you saved.