More Firefox URI handling security hiccups

More Firefox URI handling security hiccups

Summary: According to Billy Rios and Nate McFeters, the two security researchers behind the exposure of protocol abuse in popular Web browsers, Firefox is still vulnerable to a remote command injection flaw that could allow hackers to launch executable code on Windows machines.

SHARE:
TOPICS: Security, Browser
17

Mozilla has not quite fixed the security hiccups with URI protocol handling in Firefox.

According to Billy Rios and Nate McFeters, the two security researchers behind the exposure of protocol abuse in popular Web browsers, Firefox is still vulnerable to a remote command injection flaw that could allow hackers to launch executable code on Windows machines.

[ SEE: Mozilla fixes its end of URL protocol handling saga ]

Rios explains:

Nate and I have discovered a way to "...exploit a common handler with a single unexpected URI..." Once again, these URI payloads can be passed by the mailto, nntp, news, and snews URIs, allowing us to pass the payload without any user interaction. So, it seems that although the conditions which allowed for remote command execution in Firefox 2.0.0.5 have been addressed with a security patch, the underlying file type handling issues which are truly the heart of the issue have NOT been addressed.

Rios said Mozilla was contacted "a while ago" about this issue and has promised a more comprehensive patch.

More on the URL Protocol Handling vulnerability saga:

Command injection flaw found in IE: Or is it Firefox?

Microsoft should block that IE-to-Firefox attack vector

Mozilla caught napping on URL protocol handling flaw

Protocol abuse adds to Firefox, Windows security woes

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • speaking of hiccups

    did you realise you've roughly doubled your text - probably in trying to quote without quoting?

    I gave the information a vote, anyway, Ryan.
    Narr vi
    • hic

      Hic! fixed, thanks.

      _r
      Ryan Naraine
      • ;)

        good man ;)
        Narr vi
  • RE: More Firefox URI handling security hiccups

    I think they should just instal Sana Security Solutions like Safe Connect and the pattern monitoring and behaviour detection system will stop any intruders without needing a signature or a patch.
    sheart
    • Good advice, but

      I have no clue what that software is. They should just fix Firefox.
      harrisharris
  • firefox is the browser we DO NOT trust!

    firefox is the browser we DO NOT trust!
    qmlscycrajg
    • Who is "we" (nt)

      NT
      TripleII-21189418044173169409978279405827
    • Why is that?

      There are no URI handling issues running Firefox in *nix.
      JDThompson
    • Works great in Linux.

      But security is not nearly the problem in Linux thay it is in Windows.
      djchandler
  • This is a problem with Windows and OS X both

    This appears to be another side effect of a general problem that both
    Apple and Microsoft have created.

    The real problem is that the OS doesn't provide a way for applications
    to publish whether they are designed for sandboxed use or not. They
    have only one set of file type bindings for local use (say by Windows
    Explorer or Finder) and for use by documents in a sandbox (that
    would be used by browsers, mail software, and so on). So applications
    have to guess at what is safe or not, *or* maintain their own list of
    safe applications.

    All browsers using the native application bindings on Windows and OS
    X have been subject to this attack in the past. And they will remain
    subject to this attack in the future. The ONLY solution is to set up
    separate lists of applications to handle documents, and for these
    applications to use the "sandboxed list". If the OS vendor doesn't
    provide a mechanism to distinguish between sandboxed and
    unsandboxed applications and APIs, then the only guaranteed method
    of preventing this class of attack is to set up a separate set of bindings
    and lobby helper application developers to register with it.
    Resuna
  • RE: More Firefox URI handling security hiccups

    Does this problem occur in the Mac OS X or Linux environments? No. Correct me if I'm wrong but this problem occurs only in Windows environment because this problem is in Windows Operating System and Microsoft should fix it at that level. It is helpful that Mozilla is fixing part of problem but it is Microsoft with the Windows operating system that the real problems is and Microsoft should fix it there.
    phatkat
  • Idiots never learn: More than one browser in an OS = trouble

    I you are using Windows, then you use IE. If you use OSX, then you use Safari. Mac OSX Used to have IE built in, but Safari is a lot better.

    The only browser that even comes close to compatibility with either of these Built-In OS Browsers happens to be Opera.

    But opera is not free. Therefore, they install Worm-infested pieces of crap like Firefox and think it will solve the massive problems of porn websites that immediately infect you.

    It is like these people who want to use Firefox, want to lay a hooker, but not pay for it. The hooker usually calls the pimp, who kicks their arse.

    The ONLY solution to the problem of abusive websites is that of strict avoidance. Anyone to tries to pawn off that responsibility to a BROWSER, be it IE, Firefoooks, Safari, well, I would not want to have business dealings with such a person, cos they themselves do not wish to safeguard their computers, they think Norton, or Mcaffeee, or Trendnet, or IE or Microsoft or FIREFOX will deal with ti for them.

    When I come across a client who uses Firefox, I ask them for my money immediately, and then leave and never deal with them again. Because I am not a nursemaid to delete the porn driven viruses.

    You have a choice: You can have Porn, and Viruses, or you can have a clean system, and NO Porn.

    There is no other way.

    But more simply, Firefox does not read the code for maybe about 90% of all websites. Both Union Bank and California Coast Credit union security is not compatible with Firefox. It is compatible with IE and Safari.

    Firefox = needs to stop being developed NOW, and save everyone all this trouble, it is the crappiest browser, and sucks the same amount that Vista sucks. So as well as boycotting and deleting vista as often as you can, I delete Firefox from my clients systems, just like I delete Limewire, Kazaa, and Party Poker- And if they bitch about it, I walk away.
    XweAponX
    • I swear I'll stop...

      I'll give up supporting FireFox as soon as Safari or Internet Explorer is available for my Operating System, until then, what's my choice?
      epcraig
    • We have a Troll here.

      Have you parsed Firefox's code to find a worm? The Debian guys have - they found nothing.
      Safari is an interesting example. Did you know that its engine, Webkit, is based off KHTML and KJS? Yes, those are open source. From personal tests (I develop websites for a living), while good, those don't hold a candle to Firefox's Gecko.
      What clients are you talking about? What money? Firefox is FREE - as in speech (apart from the branding). You want to remove it? You can. You want to remove IE? You can't.
      I install Firefox on all MY clients systems - I repair machines too. They all thank me for:
      - making browsing faster,
      - making browsing NOT hang the system (IE7 still does that a lot, some problem with DOM/hasLayout inadequation bringiong gdi32 down),
      - making their pages load faster.
      Now, if you start complaining that your two local, never heard of banking sites are IE only, then it's YOUR problem - my own bank (which isn't much bigger) has a website that works with Firefox - and has worked with Firefox ever since version 0.7 (when it was still Phoenix).
      Websites that don't look correct in Firefox are ALWAYS tag soup ones, using no or very old doctypes, and invalid code.
      I challenge you to find ONE (1) website that has a recent (HTML4 Strict or Frameset) doctype, uses no ActiveX and passes the W3C validator to not show up correctly in Firefox. Go on.

      Too bad, huh? Most will be using invalid tags, improperly nested, and Javascript that doesn't exist (document.all, attachEvent()...)
      Mitch 74
    • Troll Alert!

      [i]When I come across a client who uses Firefox, I ask them for my money
      immediately, and then leave and never deal with them again. Because I am not a
      nursemaid to delete the porn driven viruses.[/i]

      And what, pray tell, is your business that you have clients you choose not to deal
      with because they have Firefox installed? IE is not compatible with the CSS2
      supported by Opera, Firefox, and Safari. The reason that the bank websites work
      with only IE and Safari is that the web developers were duped into using IE only
      non-standard features, and then badgered into coding work-arounds for Safari.
      In my experience, excluding sites that use ActiveX, IE renders fewer sites properly
      than Firefox, as does Safari (different glitches, mostly CSS related).

      Firefox is far more stable than IE6 or IE7. It is more standards compliant. Check
      with CERT, and you'll probably find that it's also considered to be more secure by
      the professionals. Part of this may be that it doesn't natively support ActiveX,
      which is the #1 security problem, another part is that it is not as intimately
      involved in the guts of the OS.

      When I'm doing webmaster duty, I regularly run every browser I can get my hands
      on, from lynx to IE, including obsolete versions, to make sure the site renders
      reasonably (not always the same) in every client browser I can come up with. The
      only browser that I've ever had crash my system (on a regular basis) is IE. The
      only browser that ever got an infection warning from my AV software is IE. The
      only browser that ever started sending e-mail without my permission while I was
      viewing a site is IE.

      Firefox will continue development. Its security will improve. No browser that runs
      external helper apps of any sort outside of a restricted environment can be 100%
      secure. IE will also continue development, but I believe that it is a dead-end.
      Microsoft will subsume more and more of it into the UI and IE will become a thin
      layer between Windows8 (or so) and the .Net driven graphical UI library. Firefox
      will run on almost every desktop OS, IE will only be on Windows.
      Filker0_z
    • You ask your client for money then dump them?

      "When I come across a client who uses Firefox, I ask them for my money immediately, and then leave and never deal with them again."

      Shouldn't you be giving them [i]their[/i] money back? Besides, that's more billing for you, if what you are saying is true.

      I agree with the others saying troll alert. Firefox installs with Ubuntu as the primary web browser. I've not had a bit of trouble with security in Linux, but I also don't visit porn sites. Firefox may make it easier to run the exploit, but the vulnerability must actually be a Windows problem. That's the only way this makes any sense. So why should Mozilla fix it?
      djchandler
  • RE: More Firefox URI handling security hiccups

    Mozilla Firefox 2.0.0.6 Unspecified Protocol Handling Command Injection Vulnerability:
    http://www.securityfocus.com/bid/25543/
    qmlscycrajg