New findings on "Firefox hole"
When trying to decide who is actually the originator of the vulnerabilities resulting from the interaction between Firefox and Internet Explorer 7, opinions differ. US CERT blames Firefox because it does not filter input links before sending them to the URI protocol handlers registered for them. As a workaround, US CERT suggests activating a prompt in Firefox which, when invoked, notifies the user of a mailto: URI, for instance, and offers the opportunity to cancel. To invoke the configuration page, you enter about:config in the address line of Firefox. Then the following options:
network.protocol-handler.warn-external-default
network.protocol-handler.warn-external.mailto
network.protocol-handler.warn-external.news
network.protocol-handler.warn-external.nntp
network.protocol-handler.warn-external.snews
must be set to true.
On its web page, the French FrSIRT also reports a bug in Firefox or Mozilla and Netscape. The service also blames the lack of filtering in the Mozilla Foundation browser for the problem when transferring URLs.
Having carried out its own analyses, Secunia is alone in believing that the bug lies in Windows. Secunia has also discovered that a prepared URI does not have to contain the character sequence %00, the percentage sign alone is sufficient. Indeed on a test system in heise Security's labs equipped with Windows XP/SP2 and IE7 a click in Firefox on
mailto:test%../../../../windows/system32/calc.exe".cmd
started the Windows calculator. Consequently, the patch prepared by the Firefox developers will be ineffective because it looks for %00 in the URIs in order to block them.
- Mozilla Firefox URI filtering vulnerability, bug report from US CERT
- Mozilla Firefox Multiple URI Handlers Remote Command Execution Vulnerability, bug report from FrSIRT
- Microsoft Windows URI Handling Command Execution Vulnerability, bug report from Secunia
- Firefox and Internet Explorer 7 are still not compatible, report by heise Security
(mba)