Firefox and IE Still Not Getting Along

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

Errr

[ilovegeorgebush]

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

What, sort, of, sentence, is, that?!

Re:Obviously firefoxs fault

[brunascle]

Firefox is the one that told Windows to execute the command

except, a URI with a scheme of mailto, nntp, news, or snews does not tell Windows to launch a command. it tells windows to open the application that handles that scheme and give the URI to that application. what the application does is up to the application. if calc is loaded, there's either a bug in Windows or the application that handles the scheme.

Survey says - "All of them"?

[pla]

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

I can answer that one for ya - Everything that FireFox doesn't handle internally; So basically, kill everything except "http", "https", and "ftp".

If you want to send email, open your email program and paste the address in. If you want to read newsgroups, open your newsreader and select the desired group. If you want to use some specialized protocol that requires a dedicated app anyway (like many P2P URIs), open them in the appropriate program.

Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.

Re:Obviously firefoxs fault

[miffo.swe]

"It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input." According to your masters its the receiving application that should do the sanity check. There was a rather heated debate on this a while ago when it was IE who forwarded malicious URLS to Firefox. Also, Firefox told IE to open an URL for all it knows, not some random application. The error is in IE7 no matter how you spin it. Dont forget any application besides Firefox can forward this kinds of URLs to IE7. In short any application you use that connects to web pages is a threat to IE7.

Kinda cool

[d3ac0n]

Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat

and so on and so forth

[twitter]

and the problem does not exits for Firefox before "upgrading" to IE 7 or on other platforms because M$ has yet to force sane user and privilege separation and on and on. Is there any way this could be anything but a M$ problem?

Re:Obviously firefoxs fault

[140Mandak262Jamuna]

Why should the browser be able to run privileged commands on the OS? Why should it have access to anything other than the cache directory?

If IE7 is to blame, why isn't IE7 vulnerable?

[StonyUK]

If IE7 is to blame, then how come it isn't vulnerable to such malformed URIs? Presumably it already checks for these 0x00 characters, whereas FF didn't until 3.0a7.

Re:Yea, pretty much.

[stonecypher]

There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.

Yeah, because if there's one thing that makes language easier to understand, it's changing your usage of a word depending on to whom you speak. Did it occur to you that the root of the problem is your fix? The only reason these people don't know these words is because other people around them are wrapped up in the fantasy that language is defined by usage, and that therefore it is somehow correct to be incorrect.

If you'd just speak formally _all_ the time, that'd be one less source of confusion for the unwashed masses. It turns out these things aren't inbuilt; they have to be learned from exposure. By denying exposure in the desperation to be understandable, you rob them of the chance of understanding in the long term.

A simple solution... WAKE UP!

[Torodung]

Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?

A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.

A machine is only as secure as it's user is wise.

Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.

And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.

No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."

And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.

And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.

Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.

--
Toro

Re:A simple solution... WAKE UP!

[xssniper]

It's great to know that you FULLY understand the security implication of this issue. If everyone was like you we would all be SO MUCH SAFER!!

The Proof of Concepts I provided are exactly that... PROOF OF CONCEPT! In my examples, I purposely place the exploit behind a link, so that you know and control whats coming. I could have easily placed the payload in a "body onload" tag and you would have just been hit with it... no user interaction required.

To make matters worse, when you combine something like this with Cross Site Scripting or Cross Site Request Forgery you can force another domain to send the payload for you... I've been in the security realm for some time now... but HEY... what do I know... it seems that you have it all figured out... Remote Command Execution with no user interaction via Firefox is no big deal... its just FUD...

Re:A simple solution... WAKE UP!

[jmv]

Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

Not that simple. Many browsers allow the remote site to change the string in the status bar by default (that's the first thing I disable). Until browsers show you the real destination by default, you can't expect people to notice the malformed mailto:

Re:Obviously firefoxs fault

[mhall119]

Firefox is passing a _VALID_ URL to the Window's URL handler, which is incorrectly parsing the URL. Firefox is not passing commands, Firefox is passing a URL, which Windows then runs as a command, instead of passing it as an argument to the program assigned to handle URLs of that scheme like it is supposed to (and like it does if you have IE 6 installed). This is a Microsoft flaw.