Mozilla fixes its end of URL protocol handling saga

Mozilla fixes its end of URL protocol handling saga

Summary: Exactly a week after admitting that Firefox was just as guilty as Internet Explorer when it comes to passing dangerous data to third party applications, the open-source group shipped Firefox with workarounds and patches for two related vulnerabilities.

TOPICS: Browser

Mozilla has fixed its end of the controversial URL protocol handling vulnerability that puts Windows users at risk of PC takeover attacks.

Exactly a week after admitting that Firefox was just as guilty as Internet Explorer when it comes to passing dangerous data to third party applications, the open-source group shipped Firefox with workarounds and patches for two related vulnerabilities.

[ SEE: Mozilla caught napping on URL protocol handling flaw ]

The main fix (MFSA2007-27) corrects an issue found by former Microsoft security strategist Jesper Johansson where Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling. The danger here is that the receiving program to mistakenly interpret a single URI as multiple arguments.

In its advisory, Mozilla said the Firefox and Thunderbird releases contain fixes that prevent the original demonstrations presented by Johansson, but warned that it it is still possible to launch a filetype handler based on extension rather than the registered protocol handler.

"A way to exploit a common handler with a single unexpected URI as an argument may yet be found. Since this handling is a property of the Windows Shell API this variant appears to affect other internet-enabled applications that pass these URIs to the Windows Shell," Mozilla explained.

The company is suggesting the following workaround:

By default Firefox will ask before launching external protocol handlers, and these prompts should be denied from sites that are not trustworthy, especially if the requested URL contains spaces and double-quote (") characters. An exception is made for mail-related protocols in Firefox, they do not prompt by default. If the default mail handler is Thunderbird or later there will not be a problem, but if another program or older version of Thunderbird is the default handler then mail URIs can be made to prompt as well. (Similarly, in Thunderbird browser protocols like http: and ftp: do not prompt but instead launch the default browser.) To make mail-related links prompt in Firefox before launching external programs:

    • Enter about:config in the location bar
    • Enter warn-external in the Filter: box
    • Double-click to set the mailto, news, nntp, and snews lines to true

Firefox also corrects a privilege escalation issue through chrome-loaded about:blank window.

Microsoft's Internet Explorer can still be used as an attack vector for passing malicious data to third-party Windows apps but the software maker does not consider this a vulnerability that needs to be patched.

The patches will be delivered automatically over the next 24-48 hours  via the built-in auto-update mechanism.  Firefox users can manually download the update from

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So in the end, Mozilla admits

    that the called app needs to do its own data verification or the end user must make the decision to let it run or not.

    Ummm, isn't that what MS (and every coder in the talkbacks) has said all along? Yes, I believe it is...
    • So in the end, Mozilla fixes it in 7 days...

      ... whilst Microsoft takes..... 7 weeks? 7 months? 7 years? Never?

      [i]"the called app needs to do its own data verification"[/i]

      This is true, but obviously whole swathes of possible attacks can be eliminated through correct escaping.

      [i]"what MS (and every coder in the talkbacks) has said all along? "[/i]

      Coders are always responsible for what the code and that includes MS. Mozilla has shown the way.
      • Reading is fundemental... There was no "fix".

        ANd that is why they said the user must manage it.
        • They also said...

          ... that by correctly escaping parameters, certain classes of attack could be eliminated. Are you suggesting that they shouldn't have bothered. Are you saying that they should have neglected to ensure that their application is as secure as they can manage?
          • Small hoile, big hole, its still a hole.

            But then, you knew that...
          • Same vulnerability...

            applies to IE. Microsoft doesn't think it's a bug though.
          • Because it is NOT a bug.

            Let me try one more time to explain it for you.

            Lets say you write some code. Now your code must interact with mine and in mine I am passing all sorts of parameters to my code.

            Now unless I tell you all the possible parameters I am using, how they might be combined, etc. how could you possible know if the parameter is good or bad?

            The plain simple answer is, YOU CAN'T. Neither can Windows, IE, or FireFox, its just that simple and its taken this long for FireFox to come to grips with that reality. Perhaps if they had not been so intent on blaming MS for the problem they would have come to the answer sooner...
          • No_Ax you are right it's not a bug , it's a feature . <NT>

          • re: Small hoile, big hole, its still a hole.

            I see . So how is the hole doing in your head ? Air head .
    • Call it a lesson learned

      That lesson being: do not count on others to fix when you can fix yourself. Myself, I have found it easier to fix things myself even if it is technically more challenging than getting someone else to fix something, because in the end it always gets done.
      Michael Kelly
      • But it is not fixed.

        There is no real "fix" because the browser has no idea of what parameters need to be passed. That is up to the app... And now even Mozila admits it and tells people its up to the user...
        • Do us the favour of being honest with us

          No_Ax, why not just admit that

          a) You love MS
          b) You despise Mozilla because
          1) They aren't M$
          2) They are fast to fix, MS is slow
          3) Their nimbleness shows MS for the leaden-footed elephant it is
          4) Their increasing popularity means less revenue for MS

          Let's face it, you support MS to the hilt and denigrate everything else. If anyone speaks out against MS, or even suggests that MS is dodgy, that MS does things badly or someone doesn't toe the MS line, then its flame-fest time from No_Ax.

          Why not just get a job with MS? You'll be in paradise and surrounded by people who think MS is heaven on Earth?
          • Gee, is that your best thought out post?

            If so it is truely pathetic.

            During this entire story I have said repeatedly, it is not the browsers task (IE or FF) to try and decide if a parameter passed to another app is correct and even went so far as to demonstrate why. My guess is you missed all of that.

            All I see here is the Mozzila, for all their bluster and blaming MS, has finally admited they were wrong and MS was right.

            Not if them admiting they were wrong in some way makes you think I am an MS fan then there really is little anyone can do for you. Perhaps if you enroilled in a logic or reasoning class it would help???
          • No - it is just a statement of how you appear to behave

            [i]"makes you think I am an MS fan"[/i]

            Let me see - could it be your total antipathy towards any anti-microsoft point of view? Why yes!

            [i]Perhaps if you enroilled in a logic or reasoning class it would help???"[/i]

            You've confused me with that image you can see in the mirror - I need no lessons from you.
          • Judging from the quality (or lack of) of your posts.

            A logic course is highly recommened. Now, do you want to discuss the issues at hand or do you want to rant like a fool? Your choice...
          • Just one question

            You don't know anything more about logic other than how to spell it (unless you had help with that), so how can you call someone else's logic into question?
          • Misrepresentation is pathetic

            What actually happened:

            1. Vlunerability is pointed out - it is shown to happen through IE aimed at FF.
            2. Mozilla acknowledges that they need to fix their end, and suggests that MS could do better, and follow the protocols for escaping parameters.
            3. Mozilla fixes FF's end of the chain
            4. Egg on Mozilla's face, they pass parameters poorly too.
            5. Mozilla fixes that too.
            6. In all this time, MS merely says "We can't do anything" - clearly untrue as Mozilla has done something in 7 days
            7. As EVERYONE competent knew all along, a perfect fix for the 'pass-through' end is not possible - and NO-ONE suggested that it was - just that an effort should be made to make it tougher to exploit.

            A little clearer now? Try to stick to what happened when trying to make a point...
    • You almost have it

      Yes, that's what many people, myself included, said when this first hit the news. Any app that blindly trusts input from the user (user being a person or another app) is badly written. Well duh. Programming 101. As for the user deciding at run time, well, how do you think so many viruses make their way into peoples systems already. Joe Sixpack is going to say "sure go right ahead, screw up my system, I'm too busy picking my nose to care"

      The fix needs to come from Microsoft, as the problem is "this handling is a property of the Windows Shell API". Can they fix it ? Who knows. Will they attempt to fix it ? I think we already have the answer to that.

      So, yes, you almost have it.
      • More to it.

        Ok, so lets say you build an app that requires many parameters to be passed. How would the OS or even IE know what is correct and what isn't?

        Point being, that unless everyone wants to submit their code (define all possible parameters) to MS so they can "approve" it in the OS, there is no possible way the OS can determine good/bad parameters.
        • Re: How would the OS or even IE know what is correct and what isn't?

          Well if there were standards set into place there wouldn't be an issue. Apparently there needs to be some set standards put into place or it ends up being the consumer who gets royally dumped on.
          Kid Icarus-21097050858087920245213802267493