IE-to-Firefox flaw debate rages: Ex-Microsoft security strategist weighs in

IE-to-Firefox flaw debate rages: Ex-Microsoft security strategist weighs in

Summary: While Microsoft has declined to comment on the IE-to-Firefox flaw drama (beyond an "it's not our fault" statement), a former security strategist is coming to the company's defense, arguing that there's no real way for Internet Explorer to validate the code being passed to Firefox.


While Microsoft has declined to comment on the IE-to-Firefox flaw drama (beyond an "it's not our fault" statement), a former security strategist is coming to the company's defense, arguing that there's no real way for Internet Explorer to validate the code being passed to Firefox.

Jesper Johansson (left), a Windows internals guru who now works at, has been following the issue closely on his personal blog (see update below) and insists that the documentation makes it clear that IE never makes a promise to validate the URL string being passed to third-party applications.

I ask again, what is it that people want IE, or rather, urlmon.dll, which handles this invocation, to validate the input against? IE does NOT support any FirefoxURL protocol, and knows nothing about what a legitimate invocation of that protocol looks like. The argument could be made that IE should not permit quotes to be passed, but why would quotes be illegal in all custom protocols? The protocol handler provides no information to urlmon.dll on what a legitimate request looks like, and therefore, urlmon.dll has no ability to validate the input. In fact, this is documented: "the URL Protocol handler passes the complete URL string to the application registered in the command" [Registering an Application to a URL Protocol, MSDN Library]. It is quite clear really: IE does not validate the URL string, nor does it ever make any promise to do so. It passes the entire string on to the URL Protocol Handler via a call to ShellExecuteEx, if the application is registered using a simple URL protocol handler invocation.

Johansson says it's clear from the documentation that the responsibility rests with the application to validate the URL string. "If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it. In fact urlmon.dll even provides such a way," he argues.

However, in the comments section, MITRE Corp.'s security engineer Steve Christy suggests a way for IE to block the attack vector:

The exploit includes a leading quotation mark, which IE appears to insert into the command line, which cuts off the "URL" portion of the arguments being passed to firefox. This seems like a problem that could occur with any arbitrary protocol handler. This could be tested by creating a custom protocol handler and registering it, then seeing if IE correctly escapes/quotes each %1 or related argument before passing it to the receiving program. I can't do this though, since I'm not an MS developer :)

Now, I can see how this would be difficult if not impossible for IE to fix for arbitrary handlers - or any technology that would use external "templates" for modifying command lines (wouldn't surprise me if other browsers have similar problems) - but that doesn't make it the called application's fault that it's being called with switches that the calling application didn't intend.

In response, Johansson said it would be nice for IE to put some more restrictions on what it passed to a protocol handler, but make it clear that it is difficult for IE to make decisions regarding what third-party plug-ins get to see. It's even worse to do it after the fact, he said.

It also is quite clear in the documentation that IE, or urlmon.dll rather, will pass the entire string on to the application. If the handles will parse parameters that can cause problems, then the invocation method used by FF is unsafe.

While the debate rages, I think Microsoft should bear in mind that the people at risk here are Windows users. A hands-off approach doesn't change that.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Spot On - Plenty of Blame and Responsibility All Around

    I think everyone, including OSS Zealots and Ballmer butt-kissers, needs to remember that all sides have some share of the blame and some share of the responsibility to address the issues. Mozilla should fix the FF part of this vulnerability, just like Apple patched Safari. What should MS do? Simply say, "It's not our fault - our documentation even says that urlmon.dll makes it easy for malicious hackers to exploit vulnerabilities in 3rd party apps"? Uh... yeah. I don't think so.

    MS should simply say, "We don't believe this is specifically a vulnerability with a MS product, however, in an effort to protect our Windows users (and a huge part of our revenue) we will take steps to make this attack vector much more difficult to exploit by adding some basic escaping of 'dangerous' characters. In essence, we want our software to be 'good citizens' in the computing landscape so we will take efforts to be part of the solution rather than part of the problem."

    Memo to MS: just fix the problem! You can still finger-point all you want, but if you at least fix your end of the problem you'll be scoring points with the techie community. Actions speak louder than words, so if you say this isn't a MS issue but take ACTION anyway to fix it then we'll be appreciative of that.

    • Responsible is Apple and Mozilla

      Everyone else has either fixed the problem or has said they will fix the problem. They are taking responsibility.

      Everyone that is except Microsoft.
  • Ya can tell why Johansson is the ...

    ...[b][i]Ex[/i][/b]-Microsoft security strategist.

    Whenever you take the Dubya Administration's position of "We'll only work to help solve a problem and admit to doing something wrong when YOU can PROVE it is ALL our fault and nobody else's," you have just hit the bottom of the slope of the corruption sleigh ride.

    What it means is you are CYAing your way through life at the expense of everybody else. I remember a time when politicians AND businessmen banded together when they detected a foe who could hurt potential customers and voters.
    • Good Point.

      Hey where is Non_Zealot??? I know he's around here somewhere.

      Oh that's right. There is no way to interject anti-Apple propaganda. =)
  • Why not allow this

    If I choose to use FireFox, a choice I should be allow to make, then I don't need IE. So why not allow an administrative setting that disables IE from searching the internet. Keep it around for the file manager but block it from making connections out. That way if a FireFox user is safe from having another user start up IE and get them infected. Problem solved in my opinion.
    • Except IE is required to get your Windows Updates.

      Your solution leaves you more at risk then this single vulnerability. But you still don't get it. When Firefox fixes their command processor you won't be at risk any more. In the mean time just don't use IE to surf and you still don't have a problem.
      • Couple of nits

        XP and earlier use IE, Vista has a dedicated program for updates. As far as MS's culpability in this brower issue, I just don't see it.

        What MS is doing, if I understand it, is passing exactly what's passed to them. How is this an MS problem? How is MS to know what's valid and what isn't? What should the rules be, who gets to set the rules, and why?

        The whole URL process (passing arguments) is just an incredibly ugly kludge anyway. Given the nature of the protocols there's really no way around it, but it's still an overly simplistic system that's begging to be abused.
  • If Microsoft determined that passing variables ....

    ... without escape quotes and then enforced and someone allowed this in their application the Microsoft would be the bad guy for crippling their application. The bottom line is this Microsoft has documented that they will not verify parameters being passed to 3rd party applications. It therefor is incumbant on the third party application writers to do so. Mozilla didn't and therefor is to blame. No problem existed before Firefox was loaded. No problem exists after Firefox is unloaded. While Mozilla is patching their broken browser the user can do three things to protect themselves;

    1. Don't install Firefox
    2. If you already installed it then uninstall it
    3. If you insist on using Firefox do not browse with IE.

    Any of these three scenarios will provide adequate protection until Firefox can be fixed.
    • My thought as well

      What if there's an instance where the third-party application needs IE to pass such strings unescaped? Would MS then be blamed for breaking those applications?

      Carl Rapson
      • Escaping can be reversed

        [i]"What if there's an instance where the third-party application needs IE to pass such strings unescaped?"[/i]

        If the "receiving" application needs an unescaped version then there are ways to do it. It is not a big deal.
    • By your logic

      You can also

      1. Do not install Microsoft Windows
      2. If you already installed it then uninstall Windows and install any other OS
      3. If you insist on using Windows do not browse with IE.

      Since this flaw only affects Firefox running on Windows. Any other OS running Firefox is safe from this flaw.

      • Except that a browser is easier to change ....

        ... out then an OS. There was a time that there was an arguement to be made for Firefox. With the advent of IE7 that time has passed. Firefox has proved to be less secure and now doesn't have a feature advantage.
        • Easier to change? IE vs. FF

          Which of these browsers is easier to change? Ever try uninstall IE7? Didn't think so. FF is way easier to use, to extend, to customize, and to secure.

          The [i]only[/i] reason IE has made any improvements at all is because Mozilla made a freely available (and probably better) browser.

          MS should step up and make their stuff better - Apple and Mozilla have already done so. At least they make a reasonable attempt to accept responsibility for their applications. Just because this isn't specifically a MS-only issue, it does highlight the fact that if you wrote the OS and a popular browser, then you *DO* have at least some responsibility to ensure that those products are good citizens in the computing neighborhood.

  • If a programmer does something stupid ...

    If a programmer does something stupid on Unix (*cough* *nix) then it's the programmers fault.

    If a programmer does something stupid on Windows, it's somehow Microsoft's fault.

    We need to quit blaming MS for all the worlds evils and write good code.

    Any commercial product HAS to validate it's inputs - anything can be suspect. I've fired programmers for not doing this. Firefox needs to follow this philosophy, not because it's MS's fault or not, but because it's just good programming.

    == John ==
  • Why would quotes be illegal?

    Johansson says "The argument could be made that IE should not permit quotes to be passed, but why would quotes be illegal in all custom protocols?"

    Why Indeed? Because MS has already done this (in violation of one of the oldest protocols out there) for many years. I'm talking about the foolhardy refusal to accept and pass quoted local parts in an email address. There isn't an MS-based Email system out there (or for that matter a web-based validation of an Email address written to MS standards) that doesn't refuse to accept an email address containing a "+" sign, used for sub-addressing and most commonly in the popular in Pittsburgh Andrew email system (CMU?), part of the RFC's for Email (RFC821, RFC822 and all their follow-ons) since NINETEEN EIGHTY-TWO, and at the same time refusing to allow one to QUOTE that local part, as the same standards allow for in order to not break MTA's that such an address will pass through. You can't have it both ways. You either cooperate with standards or you defy them. MS has always chosen to DEFY them.
  • bad programming practice all around doesn't get anyone off the hook, even M


    i learned long ago that when i wrote a script to handle user input that i had to validate it myself because i couldn't rely on IE or Netscape to do it for me.

    of course, that blew up when users or IT staffs blocked the use of javascript or Jscript.

    then it just looked like my site was crummy.

    we can validate html but not url?

    go blow somebody else's balloon.

    if a programmer believes it's important he will find a way.

    between validating output and validating input there should be at least a 90% chance of passing a good url string and less than a 1% chance of passing a bad one. the overlap there would be that unexpected glitch that lets the bad one get by or the good one to be rejected. it can be minimized, but not completely eliminated.

    i don't use IE to browse the net at home.
    or ever purposely allowed IE and Firefox to interoperate.
    never have wanted to infect firefox with IE instability (or vice-versa).

    just be careful user.
    if someone really wants to corrupt your machine, they will find a way.


  • FIX?

    Nevermind all that Blame Game. Somebody got a valid fix for the hijacking spam that keeps littering my screen? After 2.5 days of running everything from Panda and PrevX to custom-mades, I've still got the Win Anti-Spyware 2007 propagating, and some strange vague audio feed (sounds like it's from a video) that sounds off WITHOUT an application visibly launched. NO fun when you're using that computer for recording original music at the time.
  • Ya.. quotes are supposed to be encoded as[b]%[/b]22. This is basic stuff.