Security Exploit Uses Internet Explorer to Attack Mozilla Firefox
Wednesday July 11th, 2007
Firefox_User sent us a link to a CNET News.com article about a security threat to Windows users with both Mozilla Firefox and Microsoft Internet Explorer installed. The issue can allow an attacker to remotely trick Firefox into executing potentially malicious code. However, a user has to be running Internet Explorer to actually get exploited.
There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, while Secunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. News.com quotes Oliver Friedrichs of Symantec's Security Response Center, who says, "It's a little bit of both."
On the official Mozilla Security Blog, the Mozilla Corporation's Window Synder (who used to work for Microsoft) says that a fix will be included in the forthcoming Firefox 22.214.171.124. That said, she seems to suggest that she considers this to be mostly a problem with IE, noting that Apple fixed a similar issue with Safari recently. However, according to the ZDNet Zero Day security weblog, Microsoft claims the firefoxurl:// bug "is not a vulnerability in a Microsoft product".
Thanks to roseman for some of the links used in this report.
#12 Re: Re: Re: Blame?
Thursday July 12th, 2007 1:56 AM
You are replying to this message
#2 is exactly your error in thinking. The app using the handler just passes the data to the handler. The handler needs to verify the input.
The app using the handler does NOT know the rules for validating the data; the handler DOES.
Think about "bash": "bash" can not validate the command line parameters you pass on to "ls". "bash" does not know that "-al" means "long listing all files"; "ls" does know. So "ls" needs to validate the input for correctness. Not "bash"; it can not.
Are you saying that "bash" should have knowledge about all unix commands so that it can validate the command line parameters for correctness. No way. :)
So if firefox changes the validation rules then you need to change the app using the firefox handler also. It does not work that way.
As I said in a post further up, url handlers can be used by any app. Not just ie.