Mozilla/Firefox Bug Allows Arbitrary Program Execution 940
treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.
A clear advantage (Score:5, Informative)
FYI, in case you didn't read the article, you can download the fix here [mozilla.org].
And now for some helpful links: (Score:4, Informative)
Note: If you click on download links for firefox on the main page of mozilla.org [mozilla.org], you get 0.9.2 [mozilla.org]. The link on the firefox page @ http://www.mozilla.org/products/firefox/ [mozilla.org] still gets you 0.9.1 [mozilla.org]. The link on the main page for the Linux version of Firefox still points to version 0.9.1. It seems that if you want 0.9.2 for Linux you'll have to compile it yourself [mozilla.org].
0.8 [mozilla.org]
0.9rc [mozilla.org]
0.9 [mozilla.org]
0.9.1 [mozilla.org]
0.9.2 [mozilla.org]
And a direct link to the newest release for the really lazy:
Windows 0.9.2 [mozilla.org]
The question is, what is the shellblock.xpi [newaol.com] for?
Does Bugzilla know? Sorry, links to Bugzilla from Slashdot are disabled. Ook!
Re:A clear advantage (Score:2, Informative)
Amazing what the mozilla group is doing.
G
Re:And now for some helpful links: (Score:4, Informative)
Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000
Re:A clear advantage (Score:5, Informative)
Yeah, it was years before it was addressed. If you read the Bugzilla report, it was first opened in 2002. This is not a good example of "open software fixes things faster".
No. (Score:1, Informative)
That's the opposite of hypocrisy. That's leading by example.
Re:Yes, but releases are available already (Score:2, Informative)
Microsoft bug which affects Firefox (Score:5, Informative)
Re:A clear advantage (Score:5, Informative)
The difference in large part in my opinon boils down to:
#1 WHO finds the bug. Is it the developers and community that discovers it in good faith, or is it a hacker and the rest of us find out after a billion dollars has been lost worldwide to the latest worm, virus, etc.
#2 As you said, how quickly is the problem fixed. Certainly, private companies aren't necessarily horrible at doing this, to spite what people say. I work for a small software company and assure you that any security issues with our product would be corrected promptly. By the same token, some open source projects w/o a steady lead or direction could have exploits that go unfixed for some time.
However, based on my observations and considering those two points, I'd say I certainly feel better using Firefox than IE.
Re:A clear advantage (Score:5, Informative)
It's not "in" the browser (Score:5, Informative)
Re:A clear advantage (Score:2, Informative)
The vulnerability [slashdot.org] was first reported in September of 2002.
Sorry. RTFA and all that.
Re:A clear advantage (Score:5, Informative)
Re:And now for some helpful links: (Score:5, Informative)
Re:A clear advantage (Score:5, Informative)
http://bugzilla.mozilla.org/show_bug.cgi?id=167
Forgive me. I'm an idiot when I'm flamebait.
No, it doesn't. (Score:3, Informative)
Also note that this is a problem with Windows URI Handler rather than Mozilla. Mozilla passes any protocol it doesn't understand to Windows, and Windows uses it to execute a local file. That's why this problem doesn't exist in anything but Windows.
This just goes to show that Microsoft makes insecure software, and that insecurity often bleeds into otherwise trustworthy programs.
Re:Two beefs... (Score:4, Informative)
I don't like that either. Nor the mozilla devs. So they posted a patch via an extension [mozilla.org] to be applied to ff, tb and seamonkey.
Cheers...
Re:Only recent Mozilla bug. (Score:3, Informative)
Re:Sorry, links to Bugzilla from Slashdot are disa (Score:2, Informative)
Re:2K or not 2K (Score:3, Informative)
It explains the exploit is working with a specific syntax to invoke the program execution and it clearly mentionned the similar behavior for execution exists on W2K, but the syntax is different. Conclusion: The exploit exist only on WXP.
Incorrect bug link (Score:5, Informative)
The correct bug number for this hole is bug 250180.
Re:A clear advantage (Score:5, Informative)
Re:Open Source Collaboration (Score:2, Informative)
Hmm, this is obviously some strange usage of the word instantly that I wasn't previously aware of...
As the other posters have said, all over, the bug was opened in Sept 2002. Not far from 2 years ago.
"updates available" bug fix (Score:3, Informative)
Here's the fix:
Enter about:config in the location bar.
Enter update.app in the filter field. (Click on Enter)
Reset any prefs that appear in bold.
Restart Firefox.
taken from FireFox support newsgroup. [http://www.mozilla.org/support/]
Taken out of context... (Score:3, Informative)
True, I think this was something that should have been looked at earlier, but the same day the no-user interaction vuln was posted, there was a fix.
Is there a (proper) fix yet for the download.ject problem? No, even with the temporary "sticking plaster" that microsoft launched onto windows update this week there are still ways to exploit the problem. It will be months until a proper patch that fixes that will be released, if it is ever released at all.
Lets keep things in perspective and in context please.
Re:Open Source Collaboration (Score:5, Informative)
Re:A clear advantage (Score:5, Informative)
Valid point. Inspect the XPI before installing it. It's a ZIP file which contains two js files. "install.js" copies "bug250180.js" into the default-prefs folder. "bug250180.js" creates the preference string "network.protocol-handler.external.shell" with the value "false", which disables this particular handler.
The complete content of these files:
bug250180.js: install.js: ...or something similar to that, which I can't show here because Slashcode fucks it up.Re:Open Source Collaboration (Score:5, Informative)
The proposed change wouldn't even have prevented this vulnerability. It would have increased the requirement to exploit it from "Get the victim to visit your site" to "Get the victim to visit your site and click a link".
Re:Konqui (Score:3, Informative)
BTW, my Mozilla 1.7/linux on "shell:/bin/ls" says
Alert! shell is not a registered protocol
So, I see no problems with mozilla on linux.
Note, your Konqueror probably has some other obscure protocols, such as system:, settings: or programs: which may render your machine vulnerable by means you can't even imagine. You really should check if they are on just now.
Re:A clear advantage (Score:5, Informative)
Go to the source for better info!!!
http://www.mozilla.org/security/shell.html
Some other fixes: (Score:3, Informative)
I doubt they will block Slashdotters.
It's less effort, really it is. We now return you, of your own volition, to Windoze hell.
Re:A clear advantage (Score:3, Informative)
The problem with programs is that it is the complete _system_ that needs to be safe. As stated nicely by Bruce Sneider in one of his many books (I think it was Secrets & Lies (don't buy) or practical cryptography (must buy for security professionals).
Re:Shellblock XPI... (Score:4, Informative)
Try this page: test page [mccanless.us]
After I installed the patch (without restarting Mozilla), all four example links were available to click on. Clicking on the fourth link, marked "Clicking this could crash your system!!!" did cause Mozilla to go crazy. It kept opening new windows stupidly fast until it crashed.
After it died, I restarted it and went back to the page - now three of the links are completely disabled (I can't even highlight them), and the link that does work (the one with the example iframe exploit) has no malicious effect - the iframe no longer shows the Windows tip but is empty instead.
So my version of Moz clearly wasn't fixed until it had been restarted.
Re:Microsoft bug which affects Firefox (Score:1, Informative)
Re:A clear advantage (Score:4, Informative)
Re:A clear advantage (Score:5, Informative)
This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows... which is why this only affects Mozilla on windows.
Re:A clear advantage (Score:5, Informative)
Except for the semicolon, as the other poster pointed out, this does have some portability problems. Not sure if you'd call them bugs or not.
You could argue that a preprocessor should allow this, some will indeed choke because there's no space before the <.
The 0 is returned to the operating system, but operating systems have different rules for what return values mean. For example, in VMS, even numbers are errors, and
will generate a nasty error message upon completion.Some people argue that the compiler should return "success" when the code says to return a 0. I haven't read anything official that supports that. And if so, how would you return a 0 if that's indeed the error you need to return to the operating system?
For maximum portability with ANSI C, you probably want to do something like this:
[Slashcode says to use <ECODE> instead of <PRE or <CODE, but how do I inline code or do indentation with <ECODE>?]
Even his sig has a typo!
Re:Open Source Collaboration (Score:5, Informative)
As other posters have been mistaken, so are you. The bug linked to in the
Re:A clear advantage (Score:5, Informative)
Will probably end up happening soon. Open online bug tracking has already started for some of their products.
0.9.2 Release Notes? (Score:3, Informative)
BUT, since I have XP SP2 installed (the latest release candidate), I can ignore 0.9.2 altogether? Or are other bug fixes included in this release?
Re:And this line says all I need to know (Score:3, Informative)
Re:It's not "in" the browser (Score:5, Informative)
Agreed. It's not really a bug in the browser, it's a flaw in Windows.
Windows has a bunch of protocol handlers registered. Mozilla knows how to handle a few (e.g. http, ftp, etc.). Whenever it encounters a protocol it doens't know what to do with, it sees if Windows knows how to handle it. Windows either handles it in some way or it doesn't. If it doesn't, Mozilla puts up a message saying "xyz is not a registered protocol." Mozilla has no way of knowing that anything is bad or dangerous.
The real bug is in Windows. The only real options the Mozilla developers have is to black/white list known dangerous protocols or simply don't allow protocols Mozilla itself doesn't handle. Neither are optimal. If you can't trust the OS you're on, you really limit yourself, bugs or not.
So we banish the "shell" protocol today. Who's to say Windows won't have another flaw in another protocol tomorrow?
This really isn't any different than plugins, which are in a sense, external protocol handlers. i.e. they know how to handle certain content...just like a protocol handler. What if there is an exploit in a plugin? Mozilla just starts the plugin with the listed parameters and lets it go. Are you going to blame Mozilla for allowing the plugin to run, or are you going to require that Mozilla not allow "known, dangerous plugins" to run?
Re:A clear advantage (Score:5, Informative)
Actually http://bugzilla.mozilla.org/show_bug.cgi?id=250180 is the first mention of the shell: bug. Bug 167475 is a catch all deciding whether or not Mozilla/Firefox should hand off unknown protocols. If it used a whitelist of known protocols as some people suggest then it would break a lot of things relied upon over various platforms.
The specific shell: bug was reported only Wednesday morning which gives us a total time of less than 48 hours.
Re:Firefox pass unknown protocol handlers to the O (Score:3, Informative)
This bug is about which Windows HTTP protocol handlers should be trusted. 'shell:' was trusted when it should not have been.
Re:Monoculture, my ass. (Score:1, Informative)
Re:Update system (Score:5, Informative)
By default it will periodically check for updates for the main program and extensions. You can even set it up to automatically download and install these updates.
Re:I knew it!!! (Score:4, Informative)
Re:Just to be fair... (Score:5, Informative)
Tools -> Options -> Advanced -> Software Update.
To check manually: Tools -> Extensions -> Update.
It's not perfect yet, but remember, it's still 0.9.x, not 1.0.
(Wait, you did want an answer, right?)
This bug report isn't the same.. (Score:3, Informative)
With this patch, "shell:" was added--quickly because the infastructure was there.
--Sam
Re:A clear advantage (Score:5, Informative)
One of the comments explains why this "bug" is so long in being "fixed"--it was suggested that a dialog should be popped up before launching any external app, (which Internet Explorer only started to do sometime this year), but this is inconsistent--external plugins, like Flash, don't get similar dialog boxes in any browser, even though such plugins have been exploited in the past. Also, some programs launch their own dialog warning the user of executing from untrusted environments, and having Mozilla also display a warning is redundant. Essentially, any program that registers itself as a plugin or web protocol is saying "I will take care of the security issues involved with my execution." Therefore, while known dangerous protocols like vbscript were blacklisted (that's why this particular bug is FIXED, even though the comments suggest awareness of the current problem), they didn't implement a whitelist (which I guess is the plan for 1.0) or a dialog box (which Internet Explorer now relies upon, foolishly) because it was not consistent with the behavior towards external plugins.
Presumably, with the bad press this has received, Mozilla has realized that Microsoft is going to put whatever-the-hell it wants to in as an external protocol, so unknown protocols should not be trusted. (Something that, apparently, Microsoft themselves has only realized in the last year or so.) shell: protocol is disabled in 0.9.2, and only whitelisted plugins will be trusted in 1.0. I think.
Re:WTF is an XPI? Super secret instructions requir (Score:3, Informative)
Don't even need to double-click anything, it installs from inside the browser. No need for self-extracting executables.
Concern has been around since 2002 (Score:5, Informative)
I have to agree that this is a Mozilla issue. To use a slightly contrived comparison: I read my mail using UW Pine. If someone sends me a script via attachment in email, I do not want Pine to test and see if the interpreter in the she-bang line is available on the host OS. My OS is not my mail reader; I do not want my mail reader allowing everything my OS can do. Ditto my web browser.
There appear to be at least three Mozilla Bugzilla Bugs related to this (likely a lot more):
#1 = Mozilla Bug 163767 (20 Aug 2002)
"Pref to disable external protocol handlers"
http://bugzilla.mozilla.org/show_bug.c
#2 = Mozilla Bug 167475 (9 Sep 2002)
"Disable external protocol handlers in all cases, excluding <A HREF"
http://bugzilla.mozilla.org/show_bug.cgi?i
#3 = Mozilla Bug 250180 (7 Jul 2004)
"Shell: protocol allows access to local files"
http://bugzilla.mozilla.org/show_bug.cgi?
It appears that Mozilla developers have been worried about this kind of problem going back to at least Aug 2002 (see #1 above). #1 talks about an option to disable external protocol handlers (URI schemes) by default. I have to say that would be the right thing to do. "Secure by default" is the correct approach.
#2 talks about an approach that uses context to determine if an external handler should be invokved. Basically, it assumes that if a user clicked a link, they wanted to invoke the handler; anything that happened implictly (such as image loading) should not invoke an external handler. I do agree with those who commented (in that bug) that this is not the right approach. It adds complexity, and it still fails to address the fact that clicking a link is not something that should just up and run anything the web page wants. If I wanted that, I'd use MSIE.
#3 is a reference to the "shell:" URI scheme in particular being abused this way. It blocks the "shell:" scheme to prevent that abuse. It does nothing to prevent abuses of other possible schemes, though. I suspect we may see this "feature" of Mozilla rear its ugly head again in the future.
This is not a failure of Open Source in particular. Nor does it prove Mozilla is crap or Microsoft is okay after all. It means that people make mistakes. This should not surprise anyone. Stop pointing fingers and fix the problem.
auto-update no worky - ? (Score:3, Informative)
Re:A clear advantage (Score:3, Informative)
Re:This has been addressed by MS (Score:2, Informative)
No, a sneaky little bastard could use <meta> refresh tags as well.
Re:Microsoft bug which affects Firefox (Score:3, Informative)
The external protocol handler would only be invoked if the links were like bt:// or bittorrent://. Never seen one like that.
Accent Nazi!! (Score:2, Informative)
The French word à is spelled with a grave accent, rather than an acute one. If you're going to spell things like a smartass, at least get them right.
Re:Where's the patch for 2000? (Score:4, Informative)
1. type "about:config" in your url bar
2. Find "network.protocol-handler.external.shell"
3. Change value to false
Thats all that you need to do to fix it.
Re:A clear advantage (Score:2, Informative)
Re:Mozilla VS IE (Score:4, Informative)
Also, if you RTFA, you'd realise this was supposed to have been fixed in a Windows service pack, but isn't.
So yes, I blame microsoft :)
Problem doesn't exist on any other OS running firefox...
smash.
Hypocritical? (Score:2, Informative)
* Internet Explorer 6
* Firefox 0.9
Note the difference? Well, if you can't - basically Firefox is still not a 1.0 product - one that's ready to ship, whereas Internet Explorer is up to 6.whatever... one is a product that has been released, the other is still undergoing development.
Plus, the flaw only affects Windows systems, not Mac or Linux or whatever systems so the blame also partly lays with Microsoft.
I rest my case.
Re:Bad way (Score:5, Informative)
From the article:
So in other words, this fix only changes a pref which is easy to do without a huge download, etc. and is easy for the clueless, since it requires one click. Future versions will have a fix for the problem in general, rather than just this specific case.
Re:Just to be fair... (Score:3, Informative)
Because shell: doesn't exist on Linux.
shell: is like any other protocol, such as http: or ftp:. What Necko (the networking part of Mozilla) does is if it doesn't recognize the protocol, it asks the OS. Windows recognizes shell:, and lets it do pretty much anything. None of the other OSs recognize it, which is why this only affects Windows
Re:Firefox pass unknown protocol handlers to the O (Score:3, Informative)
Doesn't work on mine. I see VERY few good reasons to need to be able to launch/download applications (or download fonts and run active script etc) from a local html page and thus I have disabled those options in the My Computer zone. I've also set things up so that copying and pasting gives me a prompt too.
Change the Flags to 1 in
HKEY_CURRENT_USER\Software\Microsoft\Windows\
And the My Computer zone becomes configurable.
However do note that windows explorer seems to rely on activex or active scripting IF you are not using the classic view.
Re:It's not "in" the browser (Score:3, Informative)
The OS contains a list of protocols and their handling applications. For example, RealPlayer will register itself and say "When someone clicks a link that calls for the rtsp: protocol then start me up coz I know how to handle it" (if this wasn't allowed then you could say goodbye to being able to just click a realaudio link and fire up the player). Unfortunately, Windows decided to add to the register an application saying "When someone clicks a link that calls for the shell: protocol, I know how to handle that".
Essentially there is a central register of "these applications can handle these internet protocols". As you know, anything on the internet has to be secure so this is basically a register of secure software. Unfortunately MS decided to put an insecure piece of software on the register and there was no reason for the browser to distrust the contents of the register.
OT: mozilla support for exchange servers! (Score:3, Informative)
Mozilla support for exchange servers (without IMAP) looks like it should now be implementable.
Bug 128284 [mozilla.org]
Please vote for this bug if you desperately _desperately_ (like me!) need support for exchange!
Re:Bad way (Score:2, Informative)
I hate to be picky but isn't Firefox designed for XP / 2k
Mozilla is a cross-platform web browser, it has not been specificly designed to run on one type of operaing system, such as Windows. There are also packages for most flavors of Linux/UNIX, including the source code.
so you'd think the devs might consider security flaws in them to be an important issue.
What Mozilla are doing is passing anything that the browser does not understand over to the OS, with a small hope that the OS will understand what it means. The bug aparantly affects Internet Explorer too, so it's more of a bug in the Windows OS more than anything.
Re:Bad way (Score:2, Informative)
And yes, Mozilla is cross-platform, but Firesomething is designed for windows (with ports being a secondary consideration) - it doesn't seem unreasonable to expect some security protocol changes in light of that fact.
--
Stem
Re:Bad way (Score:2, Informative)
Odd! The article indicates:
The shell: syntax works only on Windows XP systems. According to one report, similar functionality is available on Windows 2000 but with different syntax.
Re:This IS 100% Mozilla's fault (Score:3, Informative)
Also, the reported wasn't aware of this specific problem. One poster was aware of another protocol scheme that could be used to cause problems, which was subsuquently blocked -- i.e. they fixed the reason the problem reported was dangerous without fixing the "bug" itself. And, as fixing this "bug" would have damaged Mozilla's functionality, this is probably a good thing.
Re:Serendipity! Vindication in under one day! (Score:3, Informative)
IE (version 6.0.2800.1106.xpsp2.030422-1633 (not kidding, that's what it says), which appears to be the latest version (no patches pending in the update utility)) opens shell: URIs. So the answer to your question is YES, IE has this bug