Network News

X My Profile
View More Activity

New Threat Pits Internet Explorer Against Firefox

Blueprints have been posted online detailing a cross-browser security threat that uses Microsoft's Internet Explorer Web browser to force Mozilla's Firefox browser to provide inroads for virus writers. While fans of both software makers are pointing the finger of blame at one another, one thing seems virtually certain: It may only be a matter of time before criminals begin exploiting the confusion to compromise home and business computers running the Windows operating system.

Software vulnerability research firm Secunia's advisory states that the problem stems from a flaw in Firefox that allows IE to forcibly launch Firefox and carry out instructions, such as downloading software or altering critical Windows system settings. Meanwhile, security researcher Thor Larholm, who discovered a similar bug in Apple's beta version of its Safari browser for Windows, said the problem is that IE doesn't properly filter out such requests when a user clicks on a specially crafted link.

Oliver Friedrichs, director of emerging technologies for Symantec Security Response, believes both software vendors are to blame for the current situation.

"Here we have a case of two very complex applications that simply don't play nice together, and when you put them both on the same machine it becomes a security problem that nobody foresaw," Friedrichs said. "This goes to the heart of how complex it is to build secure software that works well together."

According to ZDNet's Ryan Narine, Microsoft said it "has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."

Meanwhile, Mozilla appears to be readying an update that should fix the problem from their end. Window Snyder, Mozilla's head of security strategy, said the company is working on an update to address the problem, but that there was no ETA on when that fix might be available.

One important point: If a Web site exploiting this dynamic appears in the wild, it should only be a threat to people who use IE to cruise the 'Net, and should not be a problem for people who browse exclusively with Firefox.

With any luck, Mozilla will push out an update quickly. Friedrichs isn't alone in warning that this shared vulnerability may soon be folded into existing automated attack tools that bad guys use to seed malicious (and even compromised legitimate Web sites) with instructions that seek to exploit known browser flaws.

"I think this is a pretty serious problem that can have widespread implications now that a proof-of-concept exploit is freely available," Friedrichs said. "It's really a matter of days before see these exploits are incorporated into those toolkits. After all, this isn't a terribly difficult vulnerability to exploit."

By Brian Krebs  |  July 11, 2007; 9:01 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs 11 Software Holes
Next: New QuickTime Version Mends Eight Flaws

Comments

Brian, this vulnerability is a threat also "for people who browse exclusively with Firefox", because it may be exploited through a link opened from any Windows application supporting hyperlinking, e.g. your favourite email or IM clients.

It may be also worth noticing that NoScript users have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" exploit since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622

More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' "Universal XSS" PoC), no matter if attempted through the "firefoxurl:" handler (like in this specific case) or by other means we don't know yet (if any exists).
Hence, these protective features are here to stay, since the upcoming Firefox 2.0.0.5 just fixes the "firefoxurl:"/command line case.

Posted by: Giorgio Maone | July 11, 2007 10:30 AM | Report abuse

Opera!

Posted by: Bartolo | July 11, 2007 1:19 PM | Report abuse

Please tell me that the head of security for Mozilla, Window Snyder, is just a nickname. Maybe someday Gwyneth Paltrow's daughter, Apple, will be the head of security for Microsoft.

Posted by: daviddc | July 11, 2007 5:22 PM | Report abuse

"One important point: If a Web site exploiting this dynamic appears in the wild, it should only be a threat to people who use IE to cruise the 'Net, and should not be a problem for people who browse exclusively with Firefox"

One other important point, it is not a problem for people who browse exclusively with IE.

Posted by: D | July 11, 2007 5:55 PM | Report abuse

"...Mozilla's head of security strategy, said the company is working on an update..."
All MS -ever- says is: "We're looking into it...", not "the company is working on an update...".

For those who don't already know - time them. Then compare it to MS. Put your comparisons here in the comments. We'll see, won't we?

.

Posted by: J. Warren | July 11, 2007 6:25 PM | Report abuse

Anyone comfortable editing the Windows registry can protect themselves fairly simply:

Search for a key with the name "firefoxurl". It will have a value named "URL Protocol"; delete "URL Protocol". Windows will no longer load firefoxurl: urls.

Posted by: Dan Veditz | July 11, 2007 7:28 PM | Report abuse

This goes to show that even unused but installed software applications might be a threat on a system. Thus, you need to be vigilent in patching ALL installed software, even that which you no longer use. Better yet, uninstall it. Keep the system's attack surface small. A good way to avoid these kinds of issues is to install ONLY needed software to begin with. Makes for less patching too.

A well-managed system is a secure and reliable one.

Posted by: TJ | July 11, 2007 9:23 PM | Report abuse

I was wondering if not having IE7 installed makes a difference? I couldn't get IE7 to install properly and since I use FF, rolled back to IE6.
Keep a clean machine no probs to date.

Posted by: Valerie | July 11, 2007 11:58 PM | Report abuse

as commented by Warren if i delete the value name URLProtocol than does that mean firefox address wont work??

or how does this change solve this problem...??

Posted by: Salman Siddiqui | July 12, 2007 7:25 AM | Report abuse

I uninstalled IE. I installed Firefox. I am now plagued with pornographic pop ups from IE, which I simply cannot remove. To whom do I report what is obviously a serious threat to both my computer and my sanity? This is worse than any spam. Someone please give me the name of a federal authority which can shut IE down completely.

Posted by: Patricia R. Moynihan | July 12, 2007 3:12 PM | Report abuse

The title of this article needs an extension. It should read "New Threat Pits Internet Explorer Against Firefox on Windows".

I have had a copy of Ubuntu (acquired at no charge) running on my home computer (800 MHz P3, acquired at no charge) for a couple of years now. Since it does not have Internet Explorer, I really don't have to worry about such vulnerabilities.

Most vulnerabilities have a single common denominator - Microsoft Windows. Get rid of it and most of your computer vulnerability problems will die a quick death.

Posted by: Sameer Verma | July 12, 2007 5:09 PM | Report abuse

for the post that said "time them"..? Ummm, Microsoft is worth gazillions, and mozilla is beggin for cash. I smell a shareholder in the posts..

Posted by: seattlejim | July 16, 2007 10:57 PM | Report abuse

This morning, Mozilla released Firefox 2.0.0.5, which has a fix for this vulnerability. The Release Notes are here:
http://www.mozilla.com/en-US/firefox/2.0.0.5/releasenotes/

The list of fixed security issues is here:

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.5

The update will be available through the automatic update mechanism, or the new releases for Linux, Windows, and Mac OS X can be downloaded here:

http://www.mozilla.com/en-US/firefox/all.html

Posted by: Rich Gibbs | July 18, 2007 7:58 AM | Report abuse

With the release of Firefox 2.0.0.5 today (2007-07-18), it appears that Mozilla has resolved this bug, along with several others (http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.5) :

MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escallation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption

Good for you, Mozilla ; that's what I call narrowing the patch deployment window ! One could only wish that all firms in the software branch might exhibit a similar degree of concern for the users of their products, when bugs are discovered. No wonder the market share of the Firefox browser is now approaching 30 % here in Europe, while IE's has dropped to less than 70 % (http://www.xitimonitor.com/fr-FR/index-1-1-3-102.html?xtor=AL-16)....

Henri

Posted by: M Henri Day | July 18, 2007 9:11 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company