Firefox Quickies 245
First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar2 extension.
Re:What OS (Score:5, Insightful)
Doesn't work with Firefox 1.5.x.x (Score:2, Insightful)
Free Diease. Now pay for the Cure. (Score:5, Insightful)
Now this blows:
http://secunia.com/advisories/25984/ [secunia.com]
> Solution:
> Do not browse untrusted sites.
> Disable the "Firefox URL" URI handler.
The first is impractical. The second begs the question, "Sure, How?" Read on:
> Extended Solution:
> The "Extended Solution" section is available for Secunia customers only.
> Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.
So these guys are publishing zero day security flaws, then making you reach for your credit card. Very grubby.
The CNET article doesn't tell you what the fix is either. Google has nothing. Anyone?
Requires firefox to exploit from IE (Score:2, Insightful)
The fact is that the URI handler firefoxurl:// is installed by.... Firefox.
In other words, IE is redirecting to the firefoxurl DLL or EXE installed by Firefox, and that is the code which is executing user input without warning.
To me it seems disingenuous to blame the IE implementation for handing control to the Firefox protocol handler, which is treated like a shell plug-in. It seems the responsibility to prompt the user should rest on the protocol handler. Otherwise, IE would be expected to prompt on the execution of any protocol handler that was unknown at the time that IE shipped, or some such "prompting heuristic." This would be inconvenient and also subjected to ridicule on /.
Re:Here's how... (Score:2, Insightful)
Re:IE problem, but also Firefox problem. (Score:4, Insightful)
It's a protocol scheme Windows makes up based on the registry keys Firefox has to set to get things like http: associated with it.
To be more precise, what Firefox does is:
register HKLM/SOFTWARE/Classes/FirefoxURL with a shell/open/command
subkey and then set the values of ftp, gopher, http, and https to
FirefoxURL under HKLM/SOFTWARE/Clients/StartMenuInternet/FIREFOX.E
This causes Windows to send "firefoxurl:" URLs to Firefox.
Not much to remove here on Mozilla's end.
Re:Firefox's Fault? (Score:4, Insightful)
Firefox set up the http: protocol and such to launch it. Windows synthesizes a new URI scheme based on the registry key name used for this and associates this made-up scheme with Firefox. Not much Firefox can do about this Windows "feature".
Re:What OS (Score:2, Insightful)
Re:Demonstration (Score:4, Insightful)
Re:Demonstration (Score:3, Insightful)
Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// [ftp] http:/// [http] or similar would call other applications."
But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.
An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.
"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application
Re:SOMEONE is a little sensitive. (Score:3, Insightful)