Firefox and IE Still Not Getting Along

← Back to Stories (view on slashdot.org)

Firefox and IE Still Not Getting Along

Posted by Zonk on Thursday July 26, 2007 @06:33AM from the kids-kids-kids dept.

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

9 of 207 comments (clear)

No problem by Anonymous Coward · 2007-07-26 06:36 · Score: 5, Funny

IE is the better browser. Just use that one.
Obviously firefoxs fault by SolusSD · 2007-07-26 06:38 · Score: 5, Funny

All the intertwined security problems HAVE to be caused by firefox, right? I mean-- Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.
1. Re:Obviously firefoxs fault by jez9999 · 2007-07-26 06:52 · Score: 5, Funny
  
  Browser: "Feed that dog."
  OS: *gets out gun and shoots dog dead*
  Browser: "WTF? What did you do that for?"
  OS: "You told me to."
  Browser: "I told you to feed it!"
  OS: "Yeah, I changed the definition of that yesterday to 'shoot dead'."
  
  --
  == Jez ==
  Do you miss Firefox? Try Pale Moon.
2. Re:Obviously firefoxs fault by TrebleMaker · 2007-07-26 08:32 · Score: 5, Funny
  
  for example, could be set in the registry to "shutdown -s -f -t 0" Honestly, I read that as "shutdown -s -t -f -u" the first time.
  
  --
  In Soviet Russia a beowulf cluster of these things imagines you welcoming your new, neural-network overlords.
Not just Firefox. by miffo.swe · 2007-07-26 06:55 · Score: 5, Informative

Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).

--
HTTP/1.1 400
1. Re:Not just Firefox. by KiltedKnight · 2007-07-26 07:24 · Score: 5, Informative
  
  Based on what is said in TFA, if you pass the specially crafted URI into the Start->Run box, it will produce the same results.
  This indicates that the problem is in Windows' parsing of URIs... as stated in the article. It's the handling of the NULL (%00) byte.
  This has absolutely nothing to do with Firefox, but kudos to the Mozilla developers for trying to block the opening of null-byted URIs.
  
  --
  OCO is Loco
Kinda cool by d3ac0n · 2007-07-26 07:22 · Score: 5, Insightful

Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat

--
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
Re:bug database by Alwin+Henseler · 2007-07-26 07:34 · Score: 5, Interesting

Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:

(..) one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.
If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).

One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.
Re:its worth noting by Headcase88 · 2007-07-26 12:37 · Score: 5, Funny

I dare you to try to make an OS that isn't strongly integrated with / dependent on an internet browser. It's as hard as making a toaster that can't wash dishes, but can somehow still toast bread.

--
"When the atomic bomb goes off there's devastation...but when the atomic bong goes off there's celebraaaaation!"