Firefox and IE Still Not Getting Along

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

No problem

IE is the better browser. Just use that one.

Re:No problem

[Chineseyes]

In windows no but in linux using kde fish:// is a godsend.

Re:No problem

[PenguSven]

It's the industry standard protocol used by Professional Fishermen and Giant Squid alike to catch salmon and tuna.

Obviously firefoxs fault

[SolusSD]

All the intertwined security problems HAVE to be caused by firefox, right? I mean-- Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

Re:Obviously firefoxs fault

[Selfbain]

So it was just following orders you're saying. I'm not sure that defense works.

Re:Obviously firefoxs fault

[jez9999]

Browser: "Feed that dog."
OS: *gets out gun and shoots dog dead*
Browser: "WTF? What did you do that for?"
OS: "You told me to."
Browser: "I told you to feed it!"
OS: "Yeah, I changed the definition of that yesterday to 'shoot dead'."

Re:Obviously firefoxs fault

[brunascle]

Firefox is the one that told Windows to execute the command

except, a URI with a scheme of mailto, nntp, news, or snews does not tell Windows to launch a command. it tells windows to open the application that handles that scheme and give the URI to that application. what the application does is up to the application. if calc is loaded, there's either a bug in Windows or the application that handles the scheme.

Re:Obviously firefoxs fault

[SolusSD]

executing a program is one thing-- allowing the installation and execution of a virus is another.Since most windows users run as admins it is enough just to gain some access to the user's account (maybe through firefox) to install malicious code. Of course, as the article suggests, the "bug" only exists when IE7 is installed.
also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to.

Re:Obviously firefoxs fault

[miffo.swe]

"It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input." According to your masters its the receiving application that should do the sanity check. There was a rather heated debate on this a while ago when it was IE who forwarded malicious URLS to Firefox. Also, Firefox told IE to open an URL for all it knows, not some random application. The error is in IE7 no matter how you spin it. Dont forget any application besides Firefox can forward this kinds of URLs to IE7. In short any application you use that connects to web pages is a threat to IE7.

Re:Obviously firefoxs fault

Oh please. You're wrong.

The Firefox bug was essentially that it was receiving URLs like "firefoxurl: -chrome javascript:alert('Oops.')" and then, instead of interpreting the URL as a URL it was interpreting it as a command line. This is clearly Firefox's fault - they configured IE to pass Firefox all URLs that start with "firefoxurl:", but neglected to tell IE that it should inform Firefox that it shouldn't emulate a UNIX shell when receiving the URL.

This is why almost all UNIX commands have that helpful "--" option, to suppress further option parsing. In fact, the Firefox fix was essentially to add that feature. They named it something braindead, but essentially they told IE that instead of executing "firefox.exe %s" it should execute "firefox.exe -- %s". Keep in mind that in Windows, the command line is not parsed, it's given directly to the command to parse as it wants.

Now contrast it with this case.

Firefox is giving URLs with INVALID CHARACTERS to Windows, and Windows is treating them as best it can, which can be exploited.

If Firefox were properly handling the URLs and not including invalid characters, this problem wouldn't be happening.

Re:Obviously firefoxs fault

[mhall119]

Since the URL's have the same effect if they are launched from the Windows Start menu, and presumably from any application that passes URLs to Window's URL handler, I don't see how this is Firefox's fault. Combine that with the fact that the URL is valid (%00 is valid URL encoding), and the fact that the flaw only exists when IE7 is installed, and you have a very hard time blaming Firefox for this.

That said, I completely agree with you on the firefoxurl: flaw.

Re:Obviously firefoxs fault

[140Mandak262Jamuna]

Why should the browser be able to run privileged commands on the OS? Why should it have access to anything other than the cache directory?

Re:Obviously firefoxs fault

[TrebleMaker]

for example, could be set in the registry to "shutdown -s -f -t 0" Honestly, I read that as "shutdown -s -t -f -u" the first time.

Re:Obviously firefoxs fault

[140Mandak262Jamuna]

download folder could be a sub folder of the cache folder. Without any execute privilege. If you download an executable that you really want to run, you should move it using file manager to another location with execute privilege and then run it. Painful? may be. Inconvenient? Definitely. But safe. Convenience should never trump safety.

If you leave your door open, the cable guy can come in anytime and fix your cable box. You dont have to house sit over that stupid four hour window. Would you do that? Then why people put up such great resistance to the idea that you must take action, not doable by the browser alone, to download and execute a file from the internet?

Re:Obviously firefoxs fault

[Spy+der+Mann]

Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

If by "developing" you mean "IT'S ALIVE, IGOR!! IT'S ALIVE!!!", then, yes, I agree with you! :)

Re:Obviously firefoxs fault

[gregorio]

Since the URL's have the same effect if they are launched from the Windows Start menu

Well, what if sending an "format" command to Firefox have the same effect as if it was launched from the Windows Start Menu? The thing is: browsers should NOT allow malicious commands to go past its sandbox. Just "passing" commands to a third party IS insecure behaviour.

Firefox users should not play the blame shifting game, but think that their loved product is responsible for the concept of "everything I click and do without authorising any additional actions on this browser should be secure". Yeah, IE7 received a command from a local app that alows bad stuff to be done? But a lot of local actions allows bad stuff to be done, it's the browser who should be controlling this kind of thing.

That's the same thing as Firefox exectuing a link with "C:\Windows\System32\whatever.exe". It's not "windows's fault for opening it", it's firefox's fault for sending the command.

A browser should NOT redirect commands to external apps unless the security boundaries of that operation are well defined and respected.

Re:Obviously firefoxs fault

[mhall119]

Firefox is passing a _VALID_ URL to the Window's URL handler, which is incorrectly parsing the URL. Firefox is not passing commands, Firefox is passing a URL, which Windows then runs as a command, instead of passing it as an argument to the program assigned to handle URLs of that scheme like it is supposed to (and like it does if you have IE 6 installed). This is a Microsoft flaw.

Re:bug database

Mozilla is leading the race to a patch as they have a PATCH in their bugzilla database.

Re:bug database

[PinkPanther]

No, read the synopsis again:

Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database.

They are leading the race for a patch. They have one (PATCH) ready in their database.

Errr

[ilovegeorgebush]

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

What, sort, of, sentence, is, that?!

Re:Errr

[GreenEnvy22]

I believe that would be one from the William Shatner school of grammar.

No Microsoft Software has Bugs

[Cassini2]

Microsoft software does not have bugs. They have "undocumented features". It is a feature that Internet Explorer 7 works this way. When properly embraced, it extends the operating system with new features, and extinguishes all problems.

Be positive about these features!!! :-)

!Root

[rustalot42684]

Maybe if they weren't running as root *all the time*, they wouldn't have so many problems.

Didn't work for me...

[supremebob]

I tried this on my computer, and the mailto: tag ended up getting redirected to my GMail account. Thanks, Google Toolbar!

Once again, Google saves the day! Is there nothing that Google can't do? :)

Re:well..

[supremebob]

If you're a Windows Vista user, you don't really have a choice. It comes pre-installed if you want it or not.

Yea, pretty much.

[SatanicPuppy]

Worst sentence I've read in a while, and during lunch I had to listen to a friend copyediting some weenie who routinely left out the verbs in his sentences.

Elucidate and superfluous are dross from a word of the day calendar; the english major equivalent of e-penis. Three seperate comma seperated subclauses in the sentence. Overuse of the passive voice. The use of an uncommon acronym (URI) can perhaps be forgiven since it's Slashdot. Hyphens are hard to use well, and should NOT be used unless you know exactly what you're doing.

How about this: "In the author's opinion, users should deregister all unnecessary URIs. He does not, however, give instructions on how to do so."

Re:Yea, pretty much.

[SatanicPuppy]

Actually I was being ironic on purpose. I guess I feel like I have to prove that I'm not against their word choice simply because their bombastic verbiage outstrips my linguistic comprehension, but rather because their grandiloquent ostentation obfuscates their actual meaning. (---E-penis +10 bitches! ;)

Never understood the obsession with big words. The point is to be understood, right? There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.

Re:Yea, pretty much.

[stonecypher]

There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.

Yeah, because if there's one thing that makes language easier to understand, it's changing your usage of a word depending on to whom you speak. Did it occur to you that the root of the problem is your fix? The only reason these people don't know these words is because other people around them are wrapped up in the fantasy that language is defined by usage, and that therefore it is somehow correct to be incorrect.

If you'd just speak formally _all_ the time, that'd be one less source of confusion for the unwashed masses. It turns out these things aren't inbuilt; they have to be learned from exposure. By denying exposure in the desperation to be understandable, you rob them of the chance of understanding in the long term.

Not just Firefox.

[miffo.swe]

Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).

Re:Not just Firefox.

[KiltedKnight]

Based on what is said in TFA, if you pass the specially crafted URI into the Start->Run box, it will produce the same results.

This indicates that the problem is in Windows' parsing of URIs... as stated in the article. It's the handling of the NULL (%00) byte.

This has absolutely nothing to do with Firefox, but kudos to the Mozilla developers for trying to block the opening of null-byted URIs.

Re:Not just Firefox.

[griffjon]

as stated in the article. It's the handling of the NULL (%00) byte.

At the risk of abusing a double negative, Windows can't even do nothin' right.

Re:Not just Firefox.

[KiltedKnight]

I suggest you go back and read the article.

If you prefer the Readers' Digest version with your helping of crow:

Installing IE 7 clearly changes the way Windows processes URIs. This is clearly illustrated by what happens if you pass the "bad" link directly to the Windows shell via the "Run" option in the Start menu. With IE6 installed, Outlook Express is launched, with IE7, cmd.exe and the calculator.

And

According to the Bugzilla entry for this problem, one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

Survey says - "All of them"?

[pla]

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

I can answer that one for ya - Everything that FireFox doesn't handle internally; So basically, kill everything except "http", "https", and "ftp".

If you want to send email, open your email program and paste the address in. If you want to read newsgroups, open your newsreader and select the desired group. If you want to use some specialized protocol that requires a dedicated app anyway (like many P2P URIs), open them in the appropriate program.

Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.

Kinda cool

[d3ac0n]

Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat

Re:bug database

[Alwin+Henseler]

Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:

(..) one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).

One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.

If IE7 is to blame, why isn't IE7 vulnerable?

[StonyUK]

If IE7 is to blame, then how come it isn't vulnerable to such malformed URIs? Presumably it already checks for these 0x00 characters, whereas FF didn't until 3.0a7.

Re:If IE7 is to blame, why isn't IE7 vulnerable?

[TheNicestGuy]

Because technically it's not IE7 that's broken and allowing the exploit. It's Windows' routines that route and execute arbitrary protocol requests. It goes like this:

User clicks an email link, which starts with "mailto:" instead of "http:".
Firefox sees "mailto:" and realizes it's not a protocol it's designed to handle.
Firefox says, "Hey, Windows, I don't know what to do with a mailto: request. You handle it."
Windows compares the mailto: to its list of registered handlers, decides that Outlook Express is the application the user really wants, and launches it.

The bug, however, is that corrupting the part after mailto: with null characters causes that last step to malfunction and blithely pass the remainder of the request directly to the Windows shell, not Outlook Express, allowing it to do pretty much anything the user is allowed to. Two things should be clear here. First, that it's not really Firefox's fault. Invalidating or truncating the link if it contains null characters is certainly a good idea, but that doesn't mean that Windows' bug is justified. As has been pointed out, the bug would still be a problem for any other application that passes requests to the protocol handler.

The second thing is the answer to your question. Notice that Internet Explorer was not involved in this exchange at all. Even if it were registered as one of the protocol handlers it would be irrelevant, as the bug prevents the real handler from ever being launched. The reason IE7 is dragged into this is because something about the protocol handling routines changes when you install it, such that the exploit is not possible before and is possible after.

So it's a bug in the IE7 installation, not really IE7 itself.

Possible Workaround

[BlakeReid]

FTA:

The latest version of the Firefox extension NoScript also filters URLs that are passed to external handlers. Once installed, at least the demo exploits only open empty windows, while for example normal mailto:-URLs still work.

Looks like http://noscript.net/ will cover you if you're looking for a temporary fix.

Sounds like what I did on a mac

In college they had a computer lab of OSX machines that was locked down from using the terminal and other applications. I fired up firefox (because I am not too fond of Safari) and did telnet:// and it just opened up the terminal. Same thing happened with ichat, which was installed but I couldn't run it from the desktop. ichat://.

Thanks Mac-Firefox :-)

A simple solution... WAKE UP!

[Torodung]

Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?

A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.

A machine is only as secure as it's user is wise.

Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.

And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.

No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."

And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.

And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.

Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.

--
Toro

Re:A simple solution... WAKE UP!

[xssniper]

It's great to know that you FULLY understand the security implication of this issue. If everyone was like you we would all be SO MUCH SAFER!!

The Proof of Concepts I provided are exactly that... PROOF OF CONCEPT! In my examples, I purposely place the exploit behind a link, so that you know and control whats coming. I could have easily placed the payload in a "body onload" tag and you would have just been hit with it... no user interaction required.

To make matters worse, when you combine something like this with Cross Site Scripting or Cross Site Request Forgery you can force another domain to send the payload for you... I've been in the security realm for some time now... but HEY... what do I know... it seems that you have it all figured out... Remote Command Execution with no user interaction via Firefox is no big deal... its just FUD...

Re:A simple solution... WAKE UP!

[jmv]

Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

Not that simple. Many browsers allow the remote site to change the string in the status bar by default (that's the first thing I disable). Until browsers show you the real destination by default, you can't expect people to notice the malformed mailto:

Code for the patch

[Lost+Penguin]

Set WshShell = WScript.CreateObject("WScript.Shell")
intReturn = WshShell.Run("del c:\windows\iexplore.exe")
WshShell.Popup "Windows is now secure."

Re:its worth noting

[Headcase88]

I dare you to try to make an OS that isn't strongly integrated with / dependent on an internet browser. It's as hard as making a toaster that can't wash dishes, but can somehow still toast bread.

just forgot to inform you about a default param

[someone1234]

bool FeedDog(int amount, bool lead=true);