Protocol abuse adds to Firefox, Windows security woes

Protocol abuse adds to Firefox, Windows security woes

Summary: Security researchers have discovered a new set of protocol abuse problems with Mozilla Firefox, warning that the popular open-source browser is a sitting duck for code execution exploits.

SHARE:
38

Protocol abuse adds to Firefox, Windows security woesSecurity researchers have discovered a new set of protocol abuse problems with Mozilla Firefox, warning that the popular open-source browser is a sitting duck for code execution exploits.

Billy (BK) Rios and Nate McFeters, two hackers who have warned repeated about risky and unnecessary URIs registered on Windows, have released proof-of-concept exploits that shows how fully patched versions of Firefox (2.0.0.5) can be exploited when a user simply clicks on a booby-trapped link.

Adding to the back-and-forth blame game, Secunia says this is a "highly critical" flaw that affects Microsoft Windows.

The vulnerability is caused due to an input validation error within the handling of system default URIs with registered URI handlers (e.g. "mailto", "news", "nntp", "snews", "telnet"). This can be exploited to execute arbitrary commands when a user e.g. using Firefox visits a malicious website with a specially crafted "mailto" URI containing a "%" character and ends in a certain extension (e.g. ".bat", ".cmd")

Successful exploitation requires that Internet Explorer 7 is installed on the system. Secunia has confirmed the vulnerability on a fully patched Windows XP SP2 and Windows Server 2003 SP2 system using Firefox version 2.0.0.5 and Netscape Navigator version 9.0b2. Other versions and browsers may also be affected.

[ SEE: Mozilla caught napping on URL protocol handling flaw ]

Mozilla security chief Window Snyder has posted a confirmation of the latest issue:

We are currently investigating an issue on Windows XP, where some urls for “web” protocols that contain %00 launch the wrong handler and appear to be able to launch local programs, with limited argument passing. The impact to users is unknown at this point in time. We are working to verify this and in the meantime, advise users to be cautious when browsing unknown sites.

Mozilla has already created a fix that will be rolled out in the next version of Firefox.

TEMPORARY WORKAROUNDS:

A vulnerability note from US-CERT includes the following mitigation guidance:

  • Using the about:config interface, setting the network.protocol-handler.warn-external-default, network.protocol-handler.warn-external.mailto, network.protocol-handler.warn-external.news, network.protocol-handler.warn-external.nntp, network.protocol-handler.warn-external.snews to true will make Firefox display a prompt before sending a URI to an external handler.
  • Do not click on or follow untrusted links, or links that contain %00 immediately following the protocol name.

For administrators:

Blocking mailto: %00, nntp: %00, news: %00, snews: %00, telnet: %00 strings inside of HTML pages or other network streams using an application layer firewall or IPS may mitigate this vulnerability. See the xs-sniper blog for more information about known vulnerable URIs. Note that an attacker may obsfucate URIs in a way that blacklisting techniques may only stop a small percentage of attacks.

I pinged Billy (BK) Rios for some practical advice for non-technical end users. He is adamant that users should unregister all unnecessary URIs immediately. Unfortunately, it's a little difficult for mom and pop users to unregister URIs, so the standing recommendation is for Firefox users to install and use the free NoScript extension to get protection.

[ SEE: Ten free security tools you should already be using ]

Rios also urges CSOs to be proactive against URI handling vulnerabilities by using the free Dump URL Handlers (DUH.vbs) tool distributed by Erik Cabetas at the bottom of this page.

Once all the registered URI handlers have been identifed, you can either remove them completely or audit them.

URI handlers can be removed by deleting the following registry keys: HKCR\<Name of URI HANDLER>

But, bear in mind that some URI handlers are tied to functionality provided by other programs which makes them more dangerous, but also, removing them may break the functionality of applications relying on the URI Handler.

Topics: Security, Browser, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • Done, half of it anyway...

    All my FF settings were False except or one, so thanks on that one.

    IRT "URI handlers can be removed by deleting the following registry keys: HKCR\<Name of URI HANDLER>", uh, I have way too many of those to go down that list (and imagine everyone else does too), but at least I can't say I haven't been warned.
    BillyG_n_SC
  • Does this exploit affect Opera?

    If not, wouldn't that be considered a "workround"?

    http://www.opera.com
    Scrat
    • You *do* like stirring them up!

      [i]"If not, wouldn't [Opera] be considered a 'workround'?"[/i]

      Not from Mozilla's point of view! Still, look at the bright side. I doubt Mozilla will spend 3 or 4 years pretending that this is not a problem, unlike another well known browser maker.
      bportlock
  • Where's the FF fans?

    Where's our new blog spammer, Giorgio Maone?

    I'd expect him to be all over this since the no script version seems to be the only way to fix FF these days.
    BFD
    • Here's one!

      I use FF exclusively. Of course, we're not on Windows here.....

      ;-)
      bportlock
    • I'm an exclusive FF user , but wait , this doesn't affect Macs or Linux .

      Why is that ? This only affects Windows , hmmm . Why is that ?
      Intellihence
      • Easy.

        nobody uses FF on Macs and Mozilla coders along with the Google coders that help them build FF, aren't good enough to write solid code for Windows, the system that everyone in the real world uses....well, most everyone that is. <br>
        I wonder why that is? Can't be monopoly power, they were fairly convicted, right? You can't say the convictioin was fair and the sentence was not w/o throwing the entire process into doubt, including the findings and application of new law mad up on the fly.
        <br>
        So, Microsoft, with it's restrictions, has made the playing field level. How many years have gone by since then? How much has the marketshare changed? Not a lot. People LOVE windows. go figure. Envy and jealousy will get you nothing.
        xuniL_z
  • Whew!

    Dodged another one by NOT using Windows! ]:)
    Linux User 147560
    • Yup

      So did the people with clay tablets and sticks. Never mind you don't really need any apps.
      tonymcs@...
      • Just because you can't figure out how to

        use Linux doesn't mean everyone else is incapable. Speaks volumes about your abilities on a computer. ]:)
        Linux User 147560
        • Well.

          Your windows counterparts are savvy enough to make Windows bulletproof as well, but what about the general population? <br>
          Vista is a huge step toward mitigating or removing the effects of web based malware. <br>
          What's your point?
          xuniL_z
          • Yes that's why we are seeing

            people not move to Vista in droves and those that do, generally leave and either go back to XP, move to Mac or take the Linux plunge.

            Any twit with enough duct tape and band-aids can make Windows moderately secure on the internet. But you shouldn't have to, the system should already come that way. ]:)
            Linux User 147560
          • You are telling me that of the 60 million and climbing fast

            using Vista, and the majority are turning back? <br>
            you either have a clear bias or a large screw loose somewhere. <br><br>
            I do like your wording for Linux though, as it is like a plunge. You'll be all wet! ]:)
            <br><br>
            By the way, I hear Dapper wasn't so, well, dapper.
            Here is some light reading for you: <br><br>
            http://www.wildgardenseed.com/Taj/blog/2007/04/15/will-linux-ever-make-it-to-the-desktop/
            xuniL_z
          • yes because

            The "internets" stays the same, it doesn't change and people don't learn new ways around old problems. We don't need patches, the OS, should be rock solid and never need to be touched until the day you upgrade to the new version. pfftt
            Khyron
          • Point taken

            xuniL_z wrote:

            [i]Vista is a huge step toward mitigating or removing the effects of web based malware. [/i]

            So, I can either spent several hundred dollars buying a computer that can run Vista, and goodness knows how much more for software to do what I currently need to do on my old hardware, or I can get equivalent (if not better) security for free by using Linux.

            I know what my choice is... :-)
            JDThompson
          • Point taken

            So save your money. I'm talking about people that want to use Windows. I'm not sure why every linux user feels they have to pop in with the "i have a fix for Vista, it's called Linux har har" <br>
            That was not aimed at you, you did no such thing but you still made it seem like everyone should run Linux. There are many reasons many people do not want to run Linux. And I'd like to see some data supporting the fact that Linux w/ any programs running on it such as OO.org, FF, Apache, MySQL etc is any more secure than Windows. <br>
            You can't go by exploits, obviously, with 2% of marketshare on the desktop. What counts are exploitable bugs. I don't see where any Linux...let's say Ubuntu or any of the open source programs most often used with it have proved to have less exploitable code. Can you show me where these statistics are that show this? <br>
            the other side of the coin is usability. Microsoft has tried to balance security and usability. You can't have a system that will meet your needs in a flexible way if it's tied down too tight.
            xuniL_z
      • RE: Yup

        ...So did the people with clay tablets and sticks. Never mind you don't really need any apps...

        Got all the apps I need, as do most Linux/Mac/BSD/Solaris users, plus a ton of tools not available in Microsoft.
        joe6pack_z
    • If you mean you dodged...

      not having the built in usability of a windows machine, then yeah. You can't hire guards for your home 24/7/365, can you? Freedom is something you have to fight for....these are criminals out there, it's not something that Microsoft backed and created, hackers, is it? It's a law enforcement issue and here Microsoft has to go after and shut down huge piracy outfits on it's own. To bad they take so much heat for having a platform that is so powerful in it's built in functionality. All of the dev friendly components and technoloyg that let you get mega work done, also need protected from criminals properly.
      <br>
      that's life dude. I guess you could make fun of the twin towers for not having better security, eh? But i guess like bashing Windows everyday, that would be really ignorant.
      from your other posts you make it known you don't know that much about Windows. Too bad, you'd see it from a totally different light if you knew what it CAN do.
      xuniL_z
  • Computer Problems start with Windows

    I have been telling people that are having computer problems, It's not your hardware is your software (Operating System) just use Linux and be safe.
    WebFly64
    • Is that so. Well then you'd probably be happy

      to post links to show the metrics on this one. I'd like to see how Linux security stacks up in the real world against XPSP2 and/or Vista. Go for it. Remember to include all exploitable vulnerabilities, exploited or not. Security through obscurity is only a temporary fis, unless you figure Linux will never have more than 2% of the market. If so, you are kidding yourself and everyone you talk to. Temporary fix to a much larger problem that affects Linux as much or more than current versions of Microsoft products. Get real dude.
      xuniL_z