Microsoft should block that IE-to-Firefox attack vector

Microsoft should block that IE-to-Firefox attack vector

Summary: The ongoing confusion over the IE -> Firefox security vulnerability that introduces a nasty attack vector for Windows users with both browsers installed has raised a serious question about the responsibility of software vendors to protect its customers.

SHARE:

Microsoft should block that IE > Firefox attack vectorThe ongoing confusion over the IE -> Firefox security vulnerability that introduces a nasty attack vector for Windows users with both browsers installed has raised a serious question about the responsibility of software vendors to protect its customers.

First, a quick recap:

  1. Thor Larholm releases proof-of-concept for what he calls an Internet Explorer zero-day, showing how an IE user clicking on a malicious link could be attacked if Firefox is installed on the machine.
  2. Secunia issues a separate advisory to make it clear that this is *NOT* an IE vulnerabilty. The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking Firefox with arbitrary command line arguments.
  3. Larholm concedes that Firefox is the current attack vector but makes the argument that Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line.
  4. Mozilla security chief Window Snyder says a Firefox fix will be developed to protect its userbase.
  5. Microsoft's only response to the issue is this blunt one-liner: "Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."

[ SEE: How to configure Internet Explorer to run securely ]

So, if Firefox is developing a fix and Microsoft insists it's NOT a problem with IE, that settles it, right?

Not so fast. Two things that make it murky:

  1. If you are using Firefox to browse the Web, you are NOT exposed to this attack scenario.
  2. The vulnerability is only exposed when a user visits a maliciously rigged Web page in Internet Explorer.

Window Snyder, in a follow-up blog entry, spells it out clearly.

Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.

Although Mozilla will issue a fix, Snyder believes Microsoft should play its part and issue its own patch because the malicious data is being passed from IE to Firefox.

Snyder warns:

Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.

To be fair, Microsoft never explicitly said it won't issue its own IE patch but as Liu Die Yu explains, this class of attack has been known for a long time -- as far back as 2004. Liu Die Yu, one of the original browser security gurus, says it's a "surprise" that after all these years, such "an extremely simple vector of attack still works in IE."

Microsoft declined to provide a spokesman for an interview on this issue.

It's instructive to note that when Larholm disclosed this exact issue in the Safari for Windows beta, Apple issued a patched immediately. Same bug, same attack class, same Firefox attack vector and Apple issued a patch.

If you want to make the argument that this is exclusively a Firefox problem, Microsoft has a responsibility to its own customers -- in this case, IE and Windows users.

If there's a way for Microsoft to sanitize those inputs to avoid potential problems down the road -- with any piece of software sitting on Windows -- the company should provide that fix as part of its defense-in-depth approach to dealing with security.

Ignoring an attack vector that affects your customers -- whether it's your fault or not -- isn't being responsible. In this case, Microsoft shares the fault and should follow Mozilla and Apple's lead.

Topics: Security, Browser, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

154 comments
Log in or register to join the discussion
  • ROTFLMAO !!! What a barrel of laughs ,,,

    So Microsoft is to lazy to fix their problem . Sure it's Apple's Safari , no it's Mozilla's Firefox . Sure blame everyone , it's never Microsoft's fault . Folks what do you expect from spaghetti/swiss cheese code . Microsoft has a good track record when it comes to serious flaws , and just recently bones were discovered in Microsoft's closet . Oh the poor Microsoft Lemmings , when will you learn not to trust the Goliath (Microsoft).
    I'm Ye, the MS SHILL .
    • Champion metaphor mashup

      Nice job - I counted five mixed metaphors in that single short post. A barrel full of spaghetti with swiss cheese on top, fed to lemmings who are crawling around on a pile of bones looking for a femur or something with which to attack Goliath.

      With practice, you could probably write a Bulwer-Lytton winner.
      Ed Bott
      • I couldn't help myself on that one .

        This story was just killing me when I read it . It was kind of hard to think , considering I had way to much going on in my mind .
        I'm Ye, the MS SHILL .
        • Good theory.

          So now Microsoft has to cure every flaw of every piece of crap software that can be installed on the OS. Great. Great for everyone if they are stupid enough to do it, it solves users problems of installing poorly designed software on Windows because Microsoft will cure other vendors crappy coding and the end user has nothing to worry about. On the other hand sanity might inform a normal person that no OS producer is going to try and retroactively fix problems that poorly coded third party software creates. It might be a nice dream but its entirely unreasonable. I get a laugh out of clowns who just assign a shortcoming in any piece of software to Microsoft even if Microsoft had nothing to do with the design of the software at all.
          Cayble
          • Fine if Microsoft wont fix it , let Mozilla do the job .

            Its not the first time a 3rd party had to fix Microsoft's C.R.A.P. If anything I'm hoping Mozilla fixes this so Mozilla can shine . As for Microsoft I hope they don't fix the issue , it will only make them look worse than they did before . That big Microsoft sign in Redmond must be looking tarnished by now .

            "In a world without walls & fences , who needs windows & gates."
            Intellihence
          • Sorry, what did you write?

            It's Microsoft Internet Explorer that starts the other program through a command shell (or eqvivalent method), it's not Firefox that's not quoting there arguments propperly. Should this scenario show up in the Unix world, and it has, everyone would blame Microsoft for not doing a clean, propper sending of arguments to the other program. Not the other program allowing arguments on commandline when it start.

            This error is like a CGI web program having SQL insertion. No one should blaim the SQL server for this, eveyone else would blaim the CGI program! And you blaim the SQL server from executing SQL questions...

            But then again, you prob. have to adjust who to blaim depending of which side MicroSoft has writen the code. You get problems when MS is on both sides, but that is your problem...
            Jxn
          • That was pretty random. Did you reply to the wrong article?

            This is about a security flaw in Internet Explorer
            (which according to Microsoft is an inseparable
            part of the Windows operating system), that allows
            malicious webpages to run programs with arbitrary
            command-line options. Pretty serious problem with
            IE, and it needs fixed ASAP.
            AzuMao
  • At least it is being fixed by Mozilla

    I have to wonder, as George Ou stated, that MS seems determined to always snatch PR failure. Who's bug is it is largely irrelevant, it appears to be cross application and as outlined, it can't happen unless you use IE. Safari fixed it, now Mozilla will fix it, what will MS do when an attack vector URL invokes one of their products (a live offering, or Word or whatever?). It won't be a Windows bug, but it won't be a Live service bug, and since IE is "only a gateway" it won't be an IE bug?

    In terms of a fix, if one developer with one day could not build a patch to fix this, they need to revisit their hiring policies.

    Can anyone answer why MS, instead of just fixing this, decided to take the massive PR blowback? It boggles the mind. Could they really be hoping that this would lead a user to uninstall FireFox?

    TripleII
    TripleII-21189418044173169409978279405827
    • re:At least it is being fixed by Mozilla

      That is correct Triplell , Mozilla is fixing the issue . Which is more than can be said of Microsoft . I'm hoping Microsoft users worldwide take a good look at Microsoft and see what games they are playing . In fact the D.O.J. should be looking into this also . I smell a dirty rat ,,,
      I'm Ye, the MS SHILL .
    • Hey if it decreases their exploit count

      then by all means let's dodge the notch for this one as well.

      Who knows how many others are lurking that were not added into their supposed exploit count to determine Windows "security."
      Kid Icarus-21097050858087920245213802267493
    • You sir don't appear to have a clue.

      Uninstalling FireFox is hardly the issue. Think about the reality for a second instead of just hating Microsoft. If this is an issue for someone they already own Windows,Internet explorer is already installed and it isn't going to make a whole pile of difference to Microsoft even if this kind of move induced what would end up being a tiny percentage of Windows users to install FireFox. I know people who use FireFox and none of them have ever even heard of the problem!! Not one! But of course they are the average person on the street so to speak and are not viewing the internet and world of computers through the jaded eyes of an IT specialist, so rest assured; at best this move could never ever in any circumstance cause more then a tiny tiny percentage of people to install FireFox.

      I'm also betting that the informed IT people who do know about this also recognize the difference between a proof of concept and an actual widespread out break that might actually have a snowballs chance in hell of actually affecting them, so most informed people will not uninstall either. I don't care how stupid you think MS is, they know this as well.

      Thirdly, those who can read and don't like Internet explorer at all will also note that "If you are using Firefox to browse the Web, you are NOT exposed to this attack scenario." So again as reality hits you over the head...just how many people could Microsoft be hoping might actually uninstall FireFox? Maybe a handful?? Maybe? Try getting real. Microsoft didn't do this because they felt it would somehow turn the world off the hugely popular FireFox browser, there is no way ever that would do it, never ever.

      Microsoft did it because they want no part in patching up others shoddy coding that they had no part in creating. They are not about to start setting precedents of that kind because everyone and their cousin are writing Windows compatible software and as time progresses there are going to be plenty that are popular and are made with broken code that punches holes in the Windows OS, so MS is just saying generally, to all third party software manufacturers that they have to take responsibility for their own code and not to produce garbage that wrecks the OS. If you put a popular aftermarket part on your GM vehicle and the manufacturer of that custom part says it should work, don't expect GM to design and offer up free installation of new parts to support the aftermarket part because its breaking stock GM automobiles after its installed. You will never ever see that.

      But I forgot, we are dealing with MS here, and MS is always at fault even when its someone else's software.

      In case anyone hasn't noticed, I'll just let you know, that outlook strongly indicates a personality disorder in the mind that truly believes it. Microsoft does more then enough wrong without blaming weak flawed coding of third party vendors on them.
      Cayble
      • Sorry, it is you who is clueless

        As I has written, if this has happend in Unix world, and it has like SQL code injection in web servers, the right fix is to fix MS IE, not Firefox (that is the CGI program that generats SQL question would be fixed to quote arfuments sent to SQL, not try to hack around the problem in the SQL server).
        If you have understood the problem, it can happen to ANY program that starts in this way from MS IE. Not only Firefox.
        So the PROPPER way to fix this is in MS IE so no other program can be exploit like this.

        So this is a bug that MS known about earlier and has schoosen not to fix the bug. And it's an easy fix, handling quoted argument when starting other programs.

        Instead they demand other program developers to hack around the bug. This is MS bug, no matter how you look at it...
        Jxn
    • A day? What the hell?

      It shouldn't take a day to escape a ****ing quote.

      (Unless they code by hand in a hex editor.. but
      I'm pretty sure that's not the case.)
      AzuMao
  • Ryan, Microsoft cannot protect their users ....

    ... from every poorly written 3rd party program. All the parties involved agree that this is a Firefox issue including Mozilla who intends to provide the patch. If Microsoft attempted to patch this they would be accused of sabotaging Mozilla by removing functionality and you know who would be saying it. The clueless posters in this thread!
    ShadeTree
    • What a bunch of Bull ShadeTree .

      If you read the story ShadeTree , you would have noticed that this is the same issue that Apple's Safari was having . It's in Ryan Naraines story , and also at ComputerWorld http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026798&intsrc=hm_list

      In ComputerWorlds article the Security vendors are split on whose fault it is . ShadeTree where did you get your facts from ? Oh I forgot you MS Zealots don't need to post any evidence , your word of mouth is so true . NOT!!! Get real Shady , everyone here on ZDNET is fed up with you MS Zealots F.U.D.
      I'm Ye, the MS SHILL .
      • Your post is a bunch of Bull!

        "1. Secunia issues a separate advisory to make it clear that this is *NOT* an IE vulnerabilty. The problem is that Firefox registers the ?firefoxurl://? URI handler and allows invoking Firefox with arbitrary command line arguments.
        2. Larholm concedes that Firefox is the current attack vector but makes the argument that Internet Explorer is to blame for not escaping ? (quote) characters when passing on the input to the command line.
        3. Mozilla security chief Window Snyder says a Firefox fix will be developed to protect its userbase."

        If the Secunia says it is a Firefox flaw, the guy that originally reported it concedes Firefox is the attack vector and Firefox is patching it the facts are conclusive. Windows users should immediately remove Firefox from their computers and the problem is solved!
        ShadeTree
        • Right back at you ShadeTree

          Currently I'm using Firefox on Mac and I'm not having an issue , I can use Firefox on Linux and I'm still won't having an issue . If you read the whole story at ComputerWorld you'd know security vendors are split on this .

          "Larholm also said that the IE bug is similar to the input validation vulnerability in Safari 3.0 that he spotted the same day Apple Inc. released the Windows browser in beta."

          Coincidence , I don't think so , read on

          No fixes -- for either Firefox or IE -- are available, although in a comment posted last month to a security message forum, Dan Veditz, a Mozilla developer, said the team is preparing a patch. "[We are] working on protecting users from this on our end for a future security update," said Veditz. Nonetheless, Veditz, like Larholm and Symantec, said IE should shoulder responsibility for the zero-day vulnerability.

          " , ", but the Firefox team has been looking into back-stop protection in our app since we saw Thor Larholm's Safari 0-day post," Veditz wrote."

          As quoted on the last paragraph , "I do think IE should escape quotes in URLs (RFC 1738 considers them an 'unsafe' character in URLs)"

          Does this make any sense or are you only siding with Secunia , when many others have stated that this is a Microsoft issue . Don't feel sad/mad/bad because I made you look foolish .
          I'm Ye, the MS SHILL .
          • The only one you make ....

            ... look foolish is yourself. When Mozilla chose to write their application for Windows they chose to make it work with Windows. It was the responsibility of Mozilla to secure their application and not Microsoft. Furthermore if they new of this problem since Safari was released why hasn't it already been patched.
            ShadeTree
          • Microsoft knew of this issue since 2004 but refused to fix it . WHY ?

            Had Microsoft fixed the issue , no one here would be arguing . In fact this wouldn't have been a story either . Here take these bones and stuff them back into Microsoft's closet . That's where it belongs . Soon Microsoft will have a suit made of bones by the end of this summer .
            I'm Ye, the MS SHILL .
          • Mozilla has admitted to knowing about it too.

            Why didn't they fix it instead of loading the attack vector? Your ABMer stance just doesn't pass the stink test.
            ShadeTree