The ongoing confusion over the IE -> Firefox security vulnerability that introduces a nasty attack vector for Windows users with both browsers installed has raised a serious question about the responsibility of software vendors to protect its customers.
First, a quick recap:
- Thor Larholm releases proof-of-concept for what he calls an Internet Explorer zero-day, showing how an IE user clicking on a malicious link could be attacked if Firefox is installed on the machine.
- Secunia issues a separate advisory to make it clear that this is *NOT* an IE vulnerabilty. The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking Firefox with arbitrary command line arguments.
- Larholm concedes that Firefox is the current attack vector but makes the argument that Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line.
- Mozilla security chief Window Snyder says a Firefox fix will be developed to protect its userbase.
- Microsoft's only response to the issue is this blunt one-liner: "Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."
So, if Firefox is developing a fix and Microsoft insists it's NOT a problem with IE, that settles it, right?
Not so fast. Two things that make it murky:
- If you are using Firefox to browse the Web, you are NOT exposed to this attack scenario.
- The vulnerability is only exposed when a user visits a maliciously rigged Web page in Internet Explorer.
Window Snyder, in a follow-up blog entry, spells it out clearly.
Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.
The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.
Although Mozilla will issue a fix, Snyder believes Microsoft should play its part and issue its own patch because the malicious data is being passed from IE to Firefox.
Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.
To be fair, Microsoft never explicitly said it won't issue its own IE patch but as Liu Die Yu explains, this class of attack has been known for a long time -- as far back as 2004. Liu Die Yu, one of the original browser security gurus, says it's a "surprise" that after all these years, such "an extremely simple vector of attack still works in IE."
Microsoft declined to provide a spokesman for an interview on this issue.
It's instructive to note that when Larholm disclosed this exact issue in the Safari for Windows beta, Apple issued a patched immediately. Same bug, same attack class, same Firefox attack vector and Apple issued a patch.
If you want to make the argument that this is exclusively a Firefox problem, Microsoft has a responsibility to its own customers -- in this case, IE and Windows users.
If there's a way for Microsoft to sanitize those inputs to avoid potential problems down the road -- with any piece of software sitting on Windows -- the company should provide that fix as part of its defense-in-depth approach to dealing with security.
Ignoring an attack vector that affects your customers -- whether it's your fault or not -- isn't being responsible. In this case, Microsoft shares the fault and should follow Mozilla and Apple's lead.