More about		Changing settings	Security Holes
Java JavaScript/JScript Visual Basic Script ActiveX	Cookies XPI extensions Phishing Copy-Paste	Firefox Internet Explorer 6.0 Internet Explorer 7.0 Opera	Internet Explorer Firefox / Mozilla

Firefox/Mozilla Demo: Installing and executing programs via link icons

The link tag allows the user to supply Web pages with small icons called "favicons" which are displayed in the address field and the tab. If a Web page does not, however, refer to an image, but to JavaScript code, the code is executed with the rights of the local system. As Michael Krax's Firelinking Demo has shown, clicking on a link is enough to download and execute a program.

Although the development team has solved this problem with Firefox 1.0.3, the solution is not fully adequate. The new version only works if the link target starts with "javascript"; in this case, the activity is cancelled. As Krax found out very quickly, this action can be bypassed by simply adding view-source as the preceding word to make the exploit work again.

This problem affects Mozilla, Firefox and probably other Mozilla derivatives on all operating systems. The following demo has only been designed for Firefox; while it might not work with other browsers of the Mozilla family, these browsers may also be vulnerable.

Demo

The browser check demo creates the harmless batch file C:\browsercheck.bat under Windows and launches this file. Under Linux, the file ~/browsercheck.sh is created in the user's home directory and then executed. On Mac OS X systems, the demo launches the text editor. While the demo has been designed for Firefox, it should basically also work on Mozilla.

If clicking on "execute text" opens a new window with a command line and a file listing, the demo worked properly; otherwise, it failed. In some cases two such windows may be displayed due to timing problems. Under Linux, another window with "0" is opened. You can simply close these windows and delete the browser check files on your system.

execute test

Remedy:

If JavaScript is disabled, such attacks cannot be executed anymore, but many Web pages might not function properly, either. In Firefox 1.0.4 and in Mozilla 1.7.8 this bug has been eliminated.