Slashdot Mirror
Firefox and IE Still Not Getting Along
juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"
IE is the better browser. Just use that one.
All the intertwined security problems HAVE to be caused by firefox, right? I mean-- Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.
Mozilla is leading the race to a patch as they have a PATCH in their bugzilla database.
They are leading the race for a patch. They have one (PATCH) ready in their database.
It's a simple matter of complex programming.
on my Ubuntu machine or my Mac, you insensitive clod!
Actually, I don't have it on my XP-Pro SP2 machine I use to run Quickbooks, either.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
ilovegeorgebush
Using XP sp2 with seamonkey 1.1.1 and none of the links worked.
"(I) have this unfortunate condition that causes me not to believe a single thing any politician says when a mic's on.
Microsoft software does not have bugs. They have "undocumented features". It is a feature that Internet Explorer 7 works this way. When properly embraced, it extends the operating system with new features, and extinguishes all problems.
Be positive about these features!!! :-)
Maybe if they weren't running as root *all the time*, they wouldn't have so many problems.
The best test environment is production. - Me
chrome://browser/content/browser.xul
I tried this on my computer, and the mailto: tag ended up getting redirected to my GMail account. Thanks, Google Toolbar!
:)
Once again, Google saves the day! Is there nothing that Google can't do?
Only the one at the very bottom, listed as requiring user interaction, functions in Seamokey and succeeds in launching windows calculator. The mailto: one starts Seamonkey's mail and newsgroups. All the others just bring up an address not found error page.
We're going to make information free Mr. Anderson, whether you like it, or not.
If using firefox, is there really a need to have ie7 installed anyway?
is to uninstall IE7? That's easy. I never installed it in the first place.
Small though it is, the human brain can be quite effective when used properly.
A sentence with several phrases separated by a profusion of commas - and one hyphen :)
Worst sentence I've read in a while, and during lunch I had to listen to a friend copyediting some weenie who routinely left out the verbs in his sentences.
Elucidate and superfluous are dross from a word of the day calendar; the english major equivalent of e-penis. Three seperate comma seperated subclauses in the sentence. Overuse of the passive voice. The use of an uncommon acronym (URI) can perhaps be forgiven since it's Slashdot. Hyphens are hard to use well, and should NOT be used unless you know exactly what you're doing.
How about this: "In the author's opinion, users should deregister all unnecessary URIs. He does not, however, give instructions on how to do so."
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).
HTTP/1.1 400
To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.
I can answer that one for ya - Everything that FireFox doesn't handle internally; So basically, kill everything except "http", "https", and "ftp".
If you want to send email, open your email program and paste the address in. If you want to read newsgroups, open your newsreader and select the desired group. If you want to use some specialized protocol that requires a dedicated app anyway (like many P2P URIs), open them in the appropriate program.
Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.
Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.
d ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat
For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)
snews:%00%00../../../../../../windows/system32/cm
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
and the problem does not exits for Firefox before "upgrading" to IE 7 or on other platforms because M$ has yet to force sane user and privilege separation and on and on. Is there any way this could be anything but a M$ problem?
Friends don't help friends install M$ junk.
Is there any way to avoid IE7 if you are an XP user? I thought it was a forced "update" that had to be installed, unless you are a big company with your own special hell of updates and patches.
Friends don't help friends install M$ junk.
Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:
(..) one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).
One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.
Don't worry you can easily remove IE7 from Vista:
....
1. Download an Ubuntu Live CD
2. Install Ubuntu
3.
4. Profit!
After receiving a new laptop with Vista I found that it could take up to five minutes for the machine to be usable from a cold start. It is the first time I've used Linux for anything other than serving up web pages (or other network service) and I'm in love all over again.
Get your Unix fortune now!
If IE7 is to blame, then how come it isn't vulnerable to such malformed URIs? Presumably it already checks for these 0x00 characters, whereas FF didn't until 3.0a7.
IE 7, new software from Microsoft, just happens to cause problems with other software that competes with Microsoft.
Has that ever happened before?
Looks like http://noscript.net/ will cover you if you're looking for a temporary fix.
Same difference. I'm sure microsoft is also looking into the problem. Being who they are and what they do, they don't usually allow people to monitor the progress of their security fixes. I'm not mozilla won't be the first to patch, but its sort of like trying to decide if the red snapper is better than what ever is in the box that Hiro-San is bringing down the aisle right now.
Well.. maybe. Or Maybe not. But Definitely not sort of.
In college they had a computer lab of OSX machines that was locked down from using the terminal and other applications. I fired up firefox (because I am not too fond of Safari) and did telnet:// and it just opened up the terminal. Same thing happened with ichat, which was installed but I couldn't run it from the desktop. ichat://.
:-)
Thanks Mac-Firefox
...if you install Firefox on a non-C: drive, like me.
...however, Internet Explorer 7 needs to be installed. This severe security problem promises another round... Indeed. I wonder if Spybot database is updated to include that one.Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.
I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?
A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.
A machine is only as secure as it's user is wise.
Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.
And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.
No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."
And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.
And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.
Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.
--
Toro
How about both? ^^
Promote true freedom - support standards and interoperability.
As a follow up, I actually tried to make Lynx pass the puked URI to Windows and it wouldn't do it. It has it's own handlers. Security through "stone knives and bearskins" still works. ;^)
--
Toro
Woohooooooo! Tho Opera is still faster. =/ I'm curious to know what causes the performance difference between the two.
Promote true freedom - support standards and interoperability.
Set WshShell = WScript.CreateObject("WScript.Shell")
intReturn = WshShell.Run("del c:\windows\iexplore.exe")
WshShell.Popup "Windows is now secure."
I am the unwilling control for my Origin.
Opera is faster without a doubt, the only problem is it's plain clunky. Poor layout (without the option of changing it [atleast the way I want]) of bookmarks, history and just layout things that make it a lesser browsing experience. Except for the speed.
It looked like a perfectly cromulent summary to me.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Ya its obvious but Microsoft makes it impossible to uninstall ie.
RTFM losers :
. aspx
http://msdn2.microsoft.com/en-us/library/aa767914
Security Alert
Applications handling URL protocols must be robust in the face of malicious data. Because handler applications receive data from untrusted sources, the URL and other parameter values passed to the application may contain malicious data attempting to exploit the handling application. For this reason, handling applications that could initiate unwanted actions based on external data must first confirm those actions with the user.
Note In addition, handling applications should robustly handle URLs that are overly long or contain unexpected (or undesirable) character sequences. For more information, please see Writing Secure Code World Wide Web link.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I run quickbooks on my mac, I like it better than the windows version.
Sig: I stole this sig.
What's in the box, what's in the box!
I dare you to try to make an OS that isn't strongly integrated with / dependent on an internet browser. It's as hard as making a toaster that can't wash dishes, but can somehow still toast bread.
"When the atomic bomb goes off there's devastation...but when the atomic bong goes off there's celebraaaaation!"
are like the fat kid on the playground who didn't get picked for kickball. Its everyone else's fault.
Or without elucidating what a URI is.
I'm willing to bet $100 that 100 percent of the viewers here do not know the meanings of 100 percent of the acronyms that are so blatantly presented on this web site.
When an acronym is used the first time in a news article is it too much to ask that it be spelled out?
Fata viam invenient.
.."For this to work, however, Internet Explorer 7 needs to be installed.".. Solution: Uninstall Internet Explorer 7.
s/©//g
Nothing! Absolutely nothing!
When I've been a very, very naughty boy, I'll pinch myself in the genitals if matron Dorris tells me to, you insensitive clod!
I don't therefore I'm not.
I am so stupid. STUUUPID!
Greasemonkey script removes null from URLs
I thought the Mozilla team tried to fix this in 2.0.5, at least Mozilla team are trying to fix, but naturally MS IE7 team are of course blaming sum1 else, which is the usual Microsoft FUD!!!
bool FeedDog(int amount, bool lead=true);
Patents Drive Free Software as Hurricanes Drive Construction Industry
Accursed lack of mod points! Yours was the clearest explanation of the issue I've seen in this thread, so hopefully someone will mod your post up.
(Someone already has, it seems. But more oughta.)