Firefox and Internet Explorer 7 still not getting along [Update]
The bickering between Microsoft and the Mozilla Foundation about registered protocol handlers and the resulting security problems continues. A new demo has been published, illustrating how the latest version of Firefox running under Windows XP SP2 can be made to start an application using crafted links. Clicking on a manipulated mailto:, nntp:, snews: or news: link opens the command line and the Windows calculator. In principle, any command can be executed and code can be injected and executed via a website in this way.
However, for the demo to work, Internet Explorer 7 needs to be installed. If only Internet Explorer version 6 is installed, only the standard mail client Outlook Express opens. It is not entirely clear what role is being played by Internet Explorer 7 here. Installing IE 7 clearly changes the way Windows processes URIs. This is clearly illustrated by what happens if you pass the "bad" link directly to the Windows shell via the "Run" option in the Start menu. With IE6 installed, Outlook Express is launched, with IE7, cmd.exe and the calculator.
According to the Bugzilla entry for this problem, one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments. To defuse the problem, the Firefox developers want to prevent the opening of links containing null bytes (%00). A patch implementing this has already been introduced into the development version. Until a new official version of Firefox is released, there is no viable workaround yet.
The question of who is responsible for this vulnerability is again likely to be the subject of heated debate. In the previous cross browser vulnerability, Internet Explorer was passing crafted URLs to Firefox. In that case, the IE team denied all responsibility, stating that, "It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters." If this is the case, then it would be Microsoft rather than Mozilla who find themselves forced to make the next move in remedying the unsafe behaviour.
The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.
The Windows scripting host tool Dump URL Handlers should offer assistance in tracking these down. It searches through the registry and shows all registered URIs and the associated application. According to the programmer, the authors of the exploit also used this tool during their bug search.
The latest version of the Firefox extension NoScript also filters URLs that are passed to external handlers. Once installed, at least the demo exploits only open empty windows, while for example normal mailto:-URLs still work.
- Remote Command Exec (FireFox 220.127.116.11 et al), report from Billy (BK) Rios
- Some schemes with %00 launch unexpected handlers on windows, Bugzilla entry about this problem
- Vulnerability through parallel installation of Firefox 2 and Internet Explorer, report by heise Security