Security firm Secunia has issued an advisory regarding a newly discovered "highly critical" security flaw in Firefox 2.0 and later, which involves a special URI handler. Although the problem was initially attributed to Internet Explorer by researcher Thor Larholm, Firefox is the culprit.
According to Secunia, “Firefox registers the “firefoxurl://” URI handler and allows invoking Firefox with arbitrary command line arguments.” This means that a malicious site visited in Internet Explorer could pass parameters using that URI handler that would be run automatically in Firefox, without any sort of validation. The firm suggests not visiting untrusted sites until the problem is resolved.
http://www.betanews.com/article/Highly_Critical_Flaw_in_Firefox_20/1184081542
Some interesting comments:
By Scotch Moose posted Jul 10, 2007 - 2:35 PM
The reason for this is that the FirefoxURL handler was added in Firefox 2.0.0.2 as part of a Vista compatibility change. Microsoft asked for it.
The lack of input validation is still a flaw in IE, even if Firefox could have registered their URL protocol handler with DDE instead.
I don’t think we will see Firefox fixed to not accept command line arguments. And don’t stay awake waiting for Microsoft to validate input before launching a URL handler. Your best bet is to remove the URL protocol handlers, that is if you must run Windows.
Really, who thinks launching executable programs with a browser based on the content of web page is a good idea? This is even worse than ActiveX.
By bourgeoisdude posted Jul 10, 2007 - 2:54 PM
“Really, who thinks launching executable programs with a browser based on the content of web page is a good idea? This is even worse than ActiveX.”
Sadley, Dell, HP, Norton, McAfee, Trend Micro, and countless other manufacturers use this technology for their driver reinstall discs/online virus scans/active updates/etc. It’s tough to kill it because so many people are using it…
By zxo20000 posted Jul 10, 2007 - 2:49 PM
totally agree
By yohimbe9 posted Jul 10, 2007 - 12:48 PM
It starts to make you wonder about all of the other protocol handlers that are installed. A quick registry search in HKCL for “URL Protocol” found an Acrobat (acrobat://), Adobe Bridge (adobebridge), iTunes (daap://, itms://, itmss://, itpc://, pcast://) as well as several for WinAmp, Outlook and Real
Secunia report:
Description:
A vulnerability has been discovered in Firefox, which can be exploited by malicious people to compromise a user's system.
The problem is that Firefox registers the “firefoxurl://” URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the “-chrome” parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
The vulnerability is confirmed in Firefox version 2.0.0.4 on a fully patched Windows XP SP2. Other versions may also be affected.
Solution:
Do not browse untrusted sites.
Disable the “Firefox URL” URI handler.
http://secunia.com/advisories/25984/
Demo:
This is a simple demo of Cross Browser Scripting through the use of registered URIs
When Firefox2 is installed, it registers the "firefoxurl" URI in the Windows Registry
This allows applications which render HTML (like Internet Explorer) to spawn an instance of Firefox.
The danger arises when parameters that are part of the firefoxurl: are passed directly to the Firefox.exe as options, without validation.
By using the firefoxurl URI, it is possible to use Internet Explorer (or other windows based browsers) to launch FireFox and immediately launch Javascript Code.
It is also possible to create a user profile, load arbitrary firefox options, and install global extensions, all without user consent.
Attacks using the firefoxurl URI will probably be initiated through the use of XSS or CSRF
Although these examples are very simple, other, more malicious attacks can probably be initiated.
A demonstration of each vulnerability is given below. The user must have both IE and FireFox installed. Although there are several ways to initiate this vulnerability, this particular example can be launched by doing the following:
1 - Close all Firefox browser windows
2 - Browse to this page with Internet Explorer and click one of the demonstration links
3 - Enjoy
4 - Close all Firefox windows before clicking on the next link
http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html