Firefox Quickies

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar² extension.

Re:What OS

[blhack]

well...if you read the article you would find that this bug effects Internet Explorer users, not firefox users. The exploit has firefox as a dependency, but is actually called from IE.

Doesn't work with Firefox 1.5.x.x

[Fluffy Bunnies]

In case anyone was wondering. Seems like skipping version 2 was a good choice after all.

Free Diease. Now pay for the Cure.

[BillGatesLoveChild]

Firefox hasn't released a fix for this, and there is no mention of it on their web site.

Now this blows:

http://secunia.com/advisories/25984/ [secunia.com]
> Solution:
> Do not browse untrusted sites.
> Disable the "Firefox URL" URI handler.

The first is impractical. The second begs the question, "Sure, How?" Read on:

> Extended Solution:
> The "Extended Solution" section is available for Secunia customers only.
> Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.

So these guys are publishing zero day security flaws, then making you reach for your credit card. Very grubby.

The CNET article doesn't tell you what the fix is either. Google has nothing. Anyone?

Requires firefox to exploit from IE

[Heathhunnicutt-enwik]

The fact is that the URI handler firefoxurl:// is installed by.... Firefox.

In other words, IE is redirecting to the firefoxurl DLL or EXE installed by Firefox, and that is the code which is executing user input without warning.

To me it seems disingenuous to blame the IE implementation for handing control to the Firefox protocol handler, which is treated like a shell plug-in. It seems the responsibility to prompt the user should rest on the protocol handler. Otherwise, IE would be expected to prompt on the execution of any protocol handler that was unknown at the time that IE shipped, or some such "prompting heuristic." This would be inconvenient and also subjected to ridicule on /.

Re:Here's how...

[Tolkien]

Never mind, spoke too quickly and misunderstood.

Re:IE problem, but also Firefox problem.

[BZ]

> I can't think of any legitimate reason for it

It's a protocol scheme Windows makes up based on the registry keys Firefox has to set to get things like http: associated with it.

To be more precise, what Firefox does is:

    register HKLM/SOFTWARE/Classes/FirefoxURL with a shell/open/command
    subkey and then set the values of ftp, gopher, http, and https to
    FirefoxURL under HKLM/SOFTWARE/Clients/StartMenuInternet/FIREFOX.EX E/Capabilities/URLAssociations

This causes Windows to send "firefoxurl:" URLs to Firefox.

Not much to remove here on Mozilla's end.

Re:Firefox's Fault?

[BZ]

> I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer

Firefox set up the http: protocol and such to launch it. Windows synthesizes a new URI scheme based on the registry key name used for this and associates this made-up scheme with Firefox. Not much Firefox can do about this Windows "feature".

Re:What OS

[fatphil]

What do you mean by 'too powerful'? It's exactly as powerful as pretty much any other scheme handler. And amazingly, other scheme handlers are vulnerable too. See the exactly equivalenty Safari exploit from a week back. He used "gopher:" as the scheme, not "firefoxurl:". The error lies in the source browser to OS (i.e. the thing that actually spawns a process) interface. Windows specifies handler behaviour in terms of building a single string which is later parsed into individual arguments. Because of that, what should be a single parameter can break itself into many parameters, or even multiple commands separated by command separators or piping, or whatever.

Re:Demonstration

[Goaway]

Actually reading the announcement, this seems very much like a Firefox bug, namely in the URL handler it installs. It's IE that's just doing what you tell it, to open an URL that happens to use an external URL handler.

Re:Demonstration

[trifish]

This is certainly not an IE bug, but sloppy security design in Firefox. From TFA:

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// [ftp] http:/// [http] or similar would call other applications."

But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.

An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.

"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application ," said Kristensen. "For example, how should Windows know that the string 'chrome' could be dangerous for Firefox."

Re:SOMEONE is a little sensitive.

[stonecypher]

Responding to yourself as if someone had given you guff over your choice of operating system? ... Karma troll much?