UPDATED: Command injection flaw found in IE: Or is it Firefox?

UPDATED: Command injection flaw found in IE: Or is it Firefox?

Summary: Experts agree that Windows machines with both Internet Explorer and Firefox installed are vulnerable to a serious security vulnerability but there's all kinds of confusion over which browser is hosting the vulnerability.


[ NOTE: See update below on confusion over whether this is an IE or a Firefox vulnerability ]

Microsoft's Internet Explorer browser is vulnerable to a protocol handler command-injection vulnerability that could allow malicious code attacks with limited user action.

According to a warning issued by hacker Thor Larholm, the issue is an input validation flaw similar to the one he discovered in Apple's Safari for Windows browser .

[It] allows you to specify arbitrary arguments to the process responsible for handling URL protocols.

The bug could effectively allow remote attackers to pass and execute arbitrary commands and arguments through the 'firefox.exe' process.

[ SEE: How to configure Internet Explorer to run securely ]

A successful attack requires that the user is tricked into clicking on a link on a rigged Web site or in an HTML e-mail.

Researchers at Symantec have detailed the following attack scenarios:

  1. An attacker constructs malicious HTML to influence command-line parameters for the external application that will run when a URI is loaded.
  2. The attacker embeds the malicious HTML code in a webpage or sends it through HTML email.

The malicious code may be automatically loaded when the page or HTML email is rendered. User interaction is required as they must follow a link to a malicious site or open a malicious email.

Click here for Larholm's proof-of-concept which demonstrates the vulnerability.

[ UPDATE: July 10, 2007 @ 12:19 PM ] Security researchers are in disagreement over whether this is a vulnerability in IE or Firefox. Larholm and Symantec's DeepSight researchers insist it's a bug in the way IE validates certain inputs but Secunia's research team claims this is a Firefox issue.

Secunia CTO Thomas Kristensen sent me the following via e-mail:

To avoid any possible confusion, I just wanted to let you know that Secunia - as always - have tested and analysed the alleged zero-day in IE that was reported earlier today.

This is in fact NOT an IE issue - it is a Firefox issue.

Since Firefox, a new URI handler was registered on Windows systems to allow websites to force launching Firefox if the "firefoxurl://" URI was called (like ftp://, http://, or similar would call other applications).

However, the way in which the URI handler was registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when firefoxurl:// is activated. Due to the implementation of the "-chrome" parameter, it became possible to inject code that would be executed within Firefox.

Running JavaScript in "chrome" context within Firefox is essentially the same as executing arbitrary code and allows an attacker to take any actions on the local system with the same privileges as the active user.

Registering a URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application (i.e. how should Windows know that the string "-chrome" could be dangerous for Firefox?).

Windows will only filter certain non-application specific meta characters; anything that is specific for the application called by the URI handler must be handled by the application itself.

Improper usage of URI handlers and parameters supplied via URIs has historically caused problems for many vendors including, Microsoft, Apple, Mozilla, certain Linux projects, Opera, and others.

I've pinged Microsoft, Larholm and the folks at Mozilla to try to get to the bottom of this. Will update this post as necessary.

[ UPDATE: July 10, 2007 @ 2:08 PM ] Mozilla security chief Window Snyder comments:

"We are aware of this issue and we are developing a fix. Mozilla is committed to delivering the safest online experience for its users."

This from the Microsoft Security Response Center:

Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.

Still waiting for word from Larholm...

Larholm's response, sent to me via e-mail:

Internet Explorer and Firefox are both to blame. Firefox could have registered their URL protocol handler differently, for example with pure DDE, but IE is still to blame for not escaping " (quote) characters.

The latter can be evidenced by the fact that you can inject arbitrary arguments to a wide range of other URL protocol handler applications, such as irc:// (mIRC), aim:// (AOL Instant Messenger), hcp:// (Windows HelpCenter) and mms:// (Windows Media Player) to name just a few.

This is a generic flaw in Internet Explorer that has been left unpatched since at least 2004.

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Am I missing something here?

    "The bug could effectively allow remote attackers to pass and execute arbitrary commands and arguments through the ?firefox.exe? process."

    "firefox.exe" when discussing an IE vulnerability? Is this accurate?
    • It is

      Remote attackers may influence command-line parameters for the
      'firefox.exe' process that is callable with Internet Explorer's 'FirefoxURL' URI protocol handler

      The victim would have to have Firefox installed but the actual flaw/bug is in Internet Explorer.

      Ryan Naraine
      • I'm confused

        >>Kristensen said the security flaw actually rests with Firefox's URI handler

        • Me too

          I've pinged all concerned to attempt to figure out who's right/wrong. Will update as necessary later today.

          Ryan Naraine
        • Official responses from MS and Mozilla

          Blog entry update to add official responses from Microsoft and Mozilla.

          Ryan Naraine
      • So why is Mozilla fixing the bug and not MS?

        "The victim would have to have Firefox installed but the actual flaw/bug is in Internet Explorer."

        If this is an IE bug as you claim, why is Mozilla fixing the bug and not MS?
        • It's both

          It's a bug in both parties.

          Lemme explain this in a hopefully easier to understand way:

          -IE opens Firefox and sends it a message.

          --IE is sending an improperly formatted message that a hacker can take advantage of.

          --Firefox is accepting the improperly formatted message, and not checking it at all.

          It's both browsers.

          Now, Firefox can fix it on their end by checking its incoming messages - [b]but[/b] IE can still send invalid messages to other software.
        • Because MS is slow to patch holes

          Mozilla always tries to patch any security vulnerability affecting Firefox quickly. It doesn't matter whether it's totally their fault or not, they don't want their users exposed to exploits.
  • Um..

    Internet Explorer is insecure??? WOW! When did this happen??? ;)
    • Users are clueless?

      Wow! When did THAT happen? Jeez...
      Confused by religion
    • If you had waited till the story .....

      ... was updated you wouldn't have made such a fool of yourself. Firefox is insecure. When did that happen?
      • Yikes!!!

        How terribly embarrassing. I even prefer Firefox and use it instead of IE whenever possible but I feel no need to be irrational about what it can or can't do, nor how secure it is, nor do I have any desire to slam Opera just because it is a browser I don't use. I just don't understand how zealots can be [b]so[/b] passionate about [b]A COMPUTER PROGRAM[/b] that they feel the need to defend it so vigorously by attacking other [b]COMPUTER PROGRAMS[/b]. Defend your family in that way, sure, but [b]A COMPUTER PROGRAM???[/b]
        • Nice Statement, NonZealot

          In this world there exists truth and logic. However, I think your post is logically truthful! You hit the nail right on the head by implying (I hope I am not oversimplifying your sentiment) that NO COMPUTER PROGRAM is worth defending to the death.

          I say live and let PROGRAM"S" live; choose what floats your boat. Most people agree that change is inevitable so the program we idolize today will be gone, in some cases, tomorrow. So don't sell your soul over anything. Remember when everyone on the "Internet" used to have to use UNIX. Now, can anyone but the scholars make it work AND do they want to still use it? with all the OS's out there in cyberspace from which to choose. To each his own.

          • I agree too

            The reason I don't like GNU-Linux/OSS/Firefox is because they are overvalued (did I said it right? My english sucks) by its own users. People taking the programs they use as a religion have something on their heads that is not working well.
  • Yes, this is an IE vulnerability...

    even if it is inherited from Firefox. If my code calls a third party library or application and that library or application has a security vulnerability I haven't ensured can't be exploited, my code has a vulnerability. That doesn't absolve Mozilla in the slightest, but lets not ignore the facts here...IE allows this to happen.
    • No, quite incorrect

      IE only 'allows it to happen' because the FireFox team inserted a flaw into the system


      >> "A new URI handler was registered on Windows systems to allow.."

      FireFox screwed up the URI handler. Nothing the IE team could do about that. If your code inserts a flaw into the system, it's YOUR fault, and attempting to blame others is quite lame.
      • You don't get it, do you?

        Since IE's involved, it MUST be MS' fault. That is the sloppy thinking that has pervaded this site for well over a decade now, which keeps holding the OSS wave back due to the sloppy thinking and appearance of stupidity.

        They've been here since the mid-90s amusing us with this drivel, they'll be here in 2017 talking about how "OSS is just getting ready to take MS down!"

        It will be just as funny then.
      • What company...

        decided to allow the ability to register new URI handlers? The problem as I see it is that there are generally two groups of thought...one completely absolves Microsoft from any responsibility for security holes in their OS, the other blames only Microsoft for every single security hole that exists on any Windows system. The reality is that there's such a thing in this world as shared responsibility. Microsoft has created an inherently insecure operating system in trying to provide flexibility from a development standpoint. As I said in my original post, pointing out that IE has a vulnerability inherited from FireFox does not absolve Mozilla in any way from their share of responsibility for this problem. I merely pointed out that the vulnerability does exist in IE and that Microsoft bears some responsibility for that because their operating system allowed it to happen.
  • Not an IE bug, but a bug in ShellExecute

    It sounds to me like this is a bug in ShellExecute, which is part of the Windows Shell (shell32.dll) -- which isn't part of IE itself.

    Unless for some reason IE is groveling into the registry and parsing the handler's registration itself, which it shouldn't be doing...

    At least on Vista, Protected Mode warns you before launching Firefox (as it does with any external EXE).
    • You hit the nail on the head

      I believe that you hit the nail on the head by identifying ShellExecute as the culprit for this all. As a matter of fact, about 99% of all "IE" problems are related to ShellExecute and how it handles both commands and files.