Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox and IE Still Not Getting Along

Posted by Zonk on from the kids-kids-kids dept.

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

8 of 207 comments (clear)

  1. Re:Obviously firefoxs fault by Anonymous Coward · · Score: 1, Interesting

    It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input.

    If I create a URL that manages to get Firefox to tell Windows to run a command, how is that Windows' fault? Firefox is the one that told Windows to execute the command, Windows just did what Firefox told it to do.

  2. Re:Obviously firefoxs fault by SolusSD · · Score: 3, Interesting

    executing a program is one thing-- allowing the installation and execution of a virus is another.Since most windows users run as admins it is enough just to gain some access to the user's account (maybe through firefox) to install malicious code. Of course, as the article suggests, the "bug" only exists when IE7 is installed.
    also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to.

  3. Re:bug database by Alwin+Henseler · · Score: 5, Interesting

    Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:

    (..) one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

    If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).

    One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.

  4. Re:Obviously firefoxs fault by mhall119 · · Score: 4, Interesting

    Since the URL's have the same effect if they are launched from the Windows Start menu, and presumably from any application that passes URLs to Window's URL handler, I don't see how this is Firefox's fault. Combine that with the fact that the URL is valid (%00 is valid URL encoding), and the fact that the flaw only exists when IE7 is installed, and you have a very hard time blaming Firefox for this.

    That said, I completely agree with you on the firefoxurl: flaw.

    --
    http://www.mhall119.com
  5. Re:Not just Firefox. by KiltedKnight · · Score: 2, Interesting
    I suggest you go back and read the article.

    If you prefer the Readers' Digest version with your helping of crow:

    Installing IE 7 clearly changes the way Windows processes URIs. This is clearly illustrated by what happens if you pass the "bad" link directly to the Windows shell via the "Run" option in the Start menu. With IE6 installed, Outlook Express is launched, with IE7, cmd.exe and the calculator.
    And

    According to the Bugzilla entry for this problem, one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.
    --
    OCO is Loco
  6. Sounds like what I did on a mac by Anonymous Coward · · Score: 2, Interesting

    In college they had a computer lab of OSX machines that was locked down from using the terminal and other applications. I fired up firefox (because I am not too fond of Safari) and did telnet:// and it just opened up the terminal. Same thing happened with ichat, which was installed but I couldn't run it from the desktop. ichat://.

    Thanks Mac-Firefox :-)

  7. Re:Obviously firefoxs fault by 140Mandak262Jamuna · · Score: 3, Interesting
    download folder could be a sub folder of the cache folder. Without any execute privilege. If you download an executable that you really want to run, you should move it using file manager to another location with execute privilege and then run it. Painful? may be. Inconvenient? Definitely. But safe. Convenience should never trump safety.

    If you leave your door open, the cable guy can come in anytime and fix your cable box. You dont have to house sit over that stupid four hour window. Would you do that? Then why people put up such great resistance to the idea that you must take action, not doable by the browser alone, to download and execute a file from the internet?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  8. Re:No problem by Chineseyes · · Score: 3, Interesting

    In windows no but in linux using kde fish:// is a godsend.

    --
    I think the invisible hand of the market has its middle finger extended

    --A wise old fart named SC0RN