In association with heise online

11 July 2007, 14:32

Vulnerability through parallel installation of Firefox 2 and Internet Explorer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Making use of an unexpected interplay between Internet Explorer and Firefox 2, an attacker can execute arbitrary commands on a PC via a specially crafted website. The source of the problem is the processing of a Firefox-specific URI firefoxurl://, which enables a new Firefox instance to be started with an arbitrary address. The URI is registered in the form firefox.exe -url "%1", where the parameter is the page to be opened. According to Thor Larholm, it is also possible to transfer additional parameters to the new instance of Firefox by entering a quotation mark in the parameter. This permits, among other things, JavaScript to be executed in the chrome context - with full access to local resources - via the option -chrome.

Fortunately, this type of URL is inaccessible by Firefox, as there is apparently some protection against attacks of this sort in the command line. Here's where Internet Explorer comes into play: it doesn't care what follows the link. The only requirement is to recognise which program is assigned to the URI firefoxurl. That's how it accesses Firefox with specially crafted parameters. using these, it is then possible to load arbitrary plug-ins in Firefox, execute arbitrary commands and start additional programs. A page with demos shows, among other things, how to exploit this to start the prompt without a request. In a test conducted by heise Security editors, the other demos listed there did not function, however, or caused a warning message to be displayed indicating that an external application would be started. Even Thor Larholm, who discovered the vulnerability, has released a demo that apparently only functions with additional modifications. Larholm will be providing a revised version soon, though.

Who is responsible for the vulnerability has not yet been definitively clarified. Some security service providers blame Firefox 2, since it registers the special URI. On the other hand, others think that Internet Explorer is the perpetrator since it activates the URI or crafted URL without any additional check. For Windows users who have both browsers installed but primarily use Internet Explorer, the only thing that can currently help is to deregister the URI. For this purpose, it is sufficient to enter the following commands at the prompt:

reg delete HKCR\FirefoxHTML /f

reg delete HKCR\FirefoxURL /f

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit