Firefox Quickies

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar² extension.

Demonstration

[blhack]

Demonstration

Cmd.exe [firefoxurl]
This should launch cmd.exe....

Notice that you must click that link from internet explorer, firefox will warn you that an external application is being called.

above example taken from here [xs-sniper.com]

Re:Demonstration

[froggero1]

Weird, I get an error message:

"Iceweasel doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program."

and when I try to open this "ie" program:

"~ $ ie
bash: ie: command not found"

maybe there's something wrong with your operating system?

Re:Demonstration

[Anonymous Coward]

Hey, 1996 called, and they want their snooty, elitist, linux user tude' back.

Re:

[stonedcat]

Brought to you by Microsoft TimePhone98-SE (patent pending).

Re:

[Anonymous Coward]

yes and we still have reasons to laugh at windows.

Laughing? A less happy feeling

[Futurepower(R)]

I wouldn't call it laughing. "You are coming to a sad realization [apple.com]. Cancel or allow?"

"If you've used Windows Vista for more than 3.7 minutes, you know what UAC (User Account Control) is.. it's the obnoxious, nagging popup window that will be your life for the next 3-5 years... Note: Disabling UAC will lead to a less secure system, so be warned. -- The How-to Geek [howtogeek.com]

Re:Laughing? A less happy feeling

[SEMW]

You are coming to a sad realization. Cancel or allow?

It's rather ironic that you're positing that in this thread, since UAC actually prevents the exploit that TFA's talking about.

If you try it on Vista with UAC turned on, it'll fail -- or, at least, it'll give you a warning dialogue (one of these [wvsom.edu] ) -- due to IE's protected mode, which is part of UAC (quick summary: IE runs as an even lower integrity token than normal users, and need privilege elevation to a normal user token to do things like write to anywhere other then temporary internet files and access other programs on the computer -- in this case, Firefox).

Re:

[valintin]

If the dialog is that common I wonder how many people are going to automatically accept running this because they are constantly annoyed by the pop-up?

Re:

[SEMW]

If the dialog is that common I wonder how many people are going to automatically accept running this because they are constantly annoyed by the pop-up?

"If the dialogue is that common" -- huh? Where exactly did I imply it was very common? After all, how often is a legitimate website going to want to access other programs on your computer? The only times I've ever seen it are when installing plugins from websites (e.g. quicktime, flash), and this exploit. (And if there *is* a legitimate site that needs to access other files/programs on your computer for some reason, the warning box has an option to not show the warning for that site again).

That said

Re:

[The Spoonman]

maybe there's something wrong with your operating system?

Nope, there's something wrong with Firefox. IE (and it works with Safari Beta 3, as well) is just doing what it's supposed to do: handing specific URLS off to its handler. If you have FTP URLs open in a third-party app which is then exploited, is the problem STILL with the browser that launched the handler? Of course not. Worse, this exploit only works when the URL is passed to Firefox, not when it handles the URL directly, which means Firefox is

Re:

[blhack]

Correction (something went goofey when i copy and pasted.

this [firefoxurl] ..will launch cmd.exe

If you open this in firefox (as most of you probably are usuing firefox, since this is slashdot), it warns you that something is trying to launch an external application.

once again, the above example was taken from Here [xs-sniper.com]

Re:

[blhack]

DARN YOU SLASHDOT!!!!!!!!!!!!!!!

stop stripping my links! >:-O

the link in full txt is THIS:

a href = 'firefoxurl:test" -chrome "javascript:C=Components.classes;I=Components.inte rfaces;file=C[@mozilla.org/file/local;1].createIns tance(I.nsILocalFile);file.initWithPath(C:+String. fromCharCode(92)+String.fromCharCode(92)+Windows+S tring.fromCharCode(92)+String.fromCharCode(92)+Sys tem32+String.fromCharCode(92)+String.fromCharCode( 92)+cmd.exe);process=C[@mozilla.org/process/util;1 ].createInstance(I.nsIProce

Re:Demonstration

[dwarfsoft]

Weird. On windows, with Firefox 2.0.0.4, and clicking on the cmd.exe launcher on the page that you linked to (and by creating my own html page) It just opens a blank tab. cmd.exe isn't launched.

Firefox 2.0.0.4 and IE6.

Doesn't even work from IE, just loads a blank tab in firefox. I guess I must be doing it wrong :D

Re:Demonstration

[Frizzle Fry]

It's only supposed to work if you don't already have firefox open (and then you click the link in IE).

www.xs-sniper.com is not in the IE whitelist

[tepples]

Close all FF windows
Open IE.
Go here http://www.xs-sniper.com/sniperscope/IE-Pwns-Firef ox.html/ [xs-sniper.com]

And all I get is a message from my proxy stating that the site is not on IE's whitelist (which includes Windows Update and a few other hostnames) and that one should use the installed copy of Firefox or Opera for other sites. So in order to be vulnerable, you have to be using IE or another MSHTML-wrapper as your primary browser.

Re:

[RobertM1968]

Same results as your previous link...

Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program.

Same Firefox 2.0.0.4 (on eCS)

Re:

[AuMatar]

Same result with Mozilla Seamonkey.

SOMEONE is a little sensitive.

[khasim]

Hey, don't get mad at ME if this "Firefox exploit" depends upon IE being insecure.

An application is only as secure as the system it runs on.

I'll stick to Ubuntu where I have a choice.

If that offends you, too bad. Get a life and stop trying to make a religious war out of an OS.

Re:

[Random832]

It's not IE being insecure. It hands firefoxurl: urls off to firefox because firefox registered a URL handler, the same as it hands aim: urls off to aol instant messenger, irc: urls off to whatever IRC client exists that actually bothers to support that (i think mirc did at one point), etc. This is by design, and it's _not_ a bad design. It's the same flaw as the "shell:" url thing that affected firefox, only it's in the opposite direction - with shell: it was windows that provided an idiotic URL handler an

Re:

[stonecypher]

Responding to yourself as if someone had given you guff over your choice of operating system? ... Karma troll much?

Re:

[RobertM1968]

I know one similar response was modded funny, but this is truly what I got.

Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program.

Firefox 2.0.0.4 (on eCS)

Re:

[Henry V .009]

Vista UAC blocks it, interestingly enough.

Re:

[Giorgio Maone]

Firefox users with the NoScript extension [noscript.net] installed have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" since June, the 22th, see NoScript changelog [noscript.net].

More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' PoC), no matter if attempted through the firefoxurl: handler (like in this s

Re:

[Nurgled]

Curiously, when I clicked your link IE loaded Firefox, and then Firefox told me that it had to load Firefox to view this URL. I clicked "Yes" and a new tab opened and it again told me that it had to load Firefox to view this URL.

Certainly didn't launch cmd.exe. What gives?

Re:

[fatphil]

Yes, yes. This is an _IE_ bug, not a firefox bug. (I think you probably knew that though, but the people who wrote the summary and added tags certainly seem ignorant of that fact.)

Firefox just does what you tell it, and 'you' in this case is an IE which doesn't escape characters that have a meaning to the shell that is going to execute the command. So it's IE pwnx0ring (is that how you spell it?) the *shell* to get it to execute firefox with arbitrary parameters. I'd be willing to bet that there's a way to

Re:Demonstration

[Goaway]

Actually reading the announcement, this seems very much like a Firefox bug, namely in the URL handler it installs. It's IE that's just doing what you tell it, to open an URL that happens to use an external URL handler.

Re:

[Goaway]

What do you mean 'the handler'? The string in the registry or the program refered to in that string?
If you think it's the string, then what's wrong with it, and what should be changed to fix it? (clue - nothing, anything you suggest I can provide an exploit for) Which makes you in the wrong.

The program, of course. It should know it will be called with unsafe parameters.

It makes no attempt to escape undesirable characters in the string. It lets the OS break that string into multiple strings.

From reading up o

Re:

[Goaway]

The fact that Firefox *must* interpret the string as being composed of several different parameters by following those old DOS conventions is because IE _created a sting which must be interpreted that way_.

It did no such thing, and there is no requirement to follow any old DOS conventions. It created a string as dictated by the registry entry and the API design. Firefox did not understand how the API works, and misinterpreted the resulting string.

If IE wants to pass spaces, quotes, piping, redirection, etc.

Re:

[Goaway]

Read that again. He's showing that command line processing of the pipe character does not take place, because it shows up verbatim in the arguments of the process launched. If the shell was processing the pipes, the command line would stop just before the pipe, and there would be a second process with the rest in it.

He then proceeds to find a real exploit by using unintended consequences of normal Firefox options, specifically, the -chrome option. So, once again, the bug is that the -chrome option of firefo

Re:

[Goaway]

There is no requirement to use the main executable as the URL handler. Proper design would use an auxillary executable as the URL handler, or would use DDE instead, or would have a special-case command-line parser when called with some kind of "-urlHandler" option that would disable quoting and spaces after that point.

Re:

[trifish]

This is certainly not an IE bug, but sloppy security design in Firefox. From TFA:

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// [ftp] http:/// [http] or similar would call other applications."

But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Expl

Re:

[Goaway]

This is Windows, not Unix. There is no standardized way to parse command lines, and no standardized way to escape them. Every program parses its commandline by itself - it gets no argc and argv parameters from any shell.

This means that you can not know how to escape a command line for another app properly! Therefore, if you register a command-line URL handler, it is up to you to parse the string that the browsers passes in verbatim correctly!

This is risky, which is why you can use DDE instead of command-lin

Re:

[fatphil]

"There is no standardized way to parse command lines, and no standardized way to escape them."

Microsoft seem to disagree with you:
http://msdn2.microsoft.com/en-us/library/a1y7w461( VS.80).aspx

Of course, their system is braindead, but it *is* standardised.

Re:

[Goaway]

Read a little closer:

Microsoft C startup code uses the following rules when interpreting arguments given on the operating system command line:

This is what their particular startup code does. It's just one particular implementation, not any kind of standard.

Re:

[Goaway]

Firefox does not chose how to parse the command line, that happens before main() is ever called. Firefox _does_ get argc and argv. So yet again, it's not Firefox's fault.

Yes, it does. It choses to accept what gcc's startup code feeds it. That's a choice. It could, and would have to, implement its own argument parsing to work properly as an URL handler.

More sanely, it should use an external executable as the URL handler, or even better, use DDE and not the command line.

PS:

If that's the case, then windows is

Finally

[suv4x4]

Finally!

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer

Earlier when Microsoft's IE team flew over to Mozilla HQ to ask them about their RSS icon, I knew it that's the beginning of a wonderful partnership.

What OS

[jshriverWVU]

Every once in a while I see posts about Firefox or IE or whatever with a security flaw that allow remote access or malware/virii to be installed. But they never say what System it affects. Granted for IE it's pretty simple, but once you add firefox into the equation you have to wonder does this effect Linux too? Even so if the bug is in the linux firefox version, does it really matter at a system level, as many sites that might use this bug are going to be geared toward Windows users.

Granted if it's a bug it needs fixed regardless, but I would be more shocked if it said "allows a person to gain remote access on ALL systems running said software".

Re:What OS

[blhack]

well...if you read the article you would find that this bug effects Internet Explorer users, not firefox users. The exploit has firefox as a dependency, but is actually called from IE.

Re:

[Red Flayer]

The exploit has firefox as a dependency, but is actually called from IE.

So what you're saying is that if you have IE installed on your computer[1], it is a security risk to install Firefox?

Are we *sure* this is a bug, not a "feature"?

Right now, somewhere in Remdond, someone is planning a press release...

[1] By extension, if you are one of the 97.46% of desktop users worldwide with Windows installed.

Re:

[Tim C]

But if you are using IE to surf for pr0n, serialz and spyware, why would you have Firefox installed?

Because someone else who uses the machine installed it? Because you heard about it, installed it, but didn't like it?

Re:

[StupiderThanYou]

well...if you read the article ...

If you who the what now?

Re:

[Khuffie]

This has nothing to do with IE and everything to do with Firefox on windows. Firefox itself registers the "firefoxurl" URI in the Windows Registry, meaning that any application that renders HTML (ie, such as Opera) will popup FIrefox when that handler is invoked.

Re:

[fatphil]

You obviously don't understand how shells work. The bug is between IE and the shell. IE passes an untrusted string to the shell, the shell creates a command line to execute, and the shell executes it. There is _absolutely_nothing_ that firefox could do to prevent this exploit, apart from not registering such a scheme handler at all. All such registered scheme handlers are equally vulnerable from this IE bug, not just firefox.

Opera is perfectly capable of escaping characters that have meaning to the shell be

Re:

[mr3038]

You obviously don't understand how shells work. The bug is between IE and the shell. IE passes an untrusted string to the shell, the shell creates a command line to execute, and the shell executes it. There is _absolutely_nothing_ that firefox could do to prevent this exploit, apart from not registering such a scheme handler at all.

If I've understood correctly, the problem is not (this time) that IE skips the encoding of shell parameters but that the firefoxurl scheme handler is too powerful. MS used once

Re:

[fatphil]

What do you mean by 'too powerful'? It's exactly as powerful as pretty much any other scheme handler. And amazingly, other scheme handlers are vulnerable too. See the exactly equivalenty Safari exploit from a week back. He used "gopher:" as the scheme, not "firefoxurl:". The error lies in the source browser to OS (i.e. the thing that actually spawns a process) interface. Windows specifies handler behaviour in terms of building a single string which is later parsed into individual arguments. Because of that,

Re:

[mattspammail]

Naming convention idea: follow Symantec's lead: http://www.symantec.com/avcenter/vnameinfo.html [symantec.com]

Ex: W32.BAT.FirefoxAndIEriskThisAffectsYouAndItsReally BigItCanEvenSpawnBatchFilesOMG.dr.A

Re:

[netdur]

Windows only http://blog.mozilla.com/security/2007/07/10/securi ty-issue-in-url-protocol-handling-on-windows/ [mozilla.com]

Re:What OS

[suv4x4]

But they never say what System it affects. Granted for IE it's pretty simple

Is it. Most exploits that would work on XP wouldn't work on Vista in protected mode.

Re:

[jshriverWVU]

Perhaps this is a term difference, but hasn't all versions of Windows from 95 up been running in protected mode? Otherwise how do they get access to larger linear memory mapping versus segmented chunks like the DOS days.

Re:What OS

[GIL_Dude]

Internet Explorer protected mode in Vista puts IE running at the "low integrity" level meaning it can only access a very limited number of folders (for example the temporary internet files folder). At the low integrity level it is very difficult to actual exploit a machine as you don't have the rights to access much.

Re:

[StormReaver]

"Internet Explorer protected mode in Vista...don't have the rights to access much."

Does Internet Explorer come this way by default? If not, then it's of no use to 99+% of Vista victims...err...users since they won't change the defaults.

Re:

[SEMW]

Does Internet Explorer come this way by default? If not, then it's of no use to 99+% of Vista victims...err...users since they won't change the defaults.

Yes, it is turned on by default. The worry is that people will turn it *off*: protected mode is part of UAC...

Re:

[stevey]

You're correct. Protected mode means something different [microsoft.com] in this context.

Nowhere near as much fun as handling triple faults in your assembly code!

Re:

[suv4x4]

Perhaps this is a term difference, but hasn't all versions of Windows from 95 up been running in protected mode? Otherwise how do they get access to larger linear memory mapping versus segmented chunks like the DOS days.

It's not related to the memory protected mode really, now that I think of it, not very good choice of words on MS part, as it (obviously) could cause confusion.

It's a "low permissions" mode.

Re:

[Mundocani]

I'm running Vista and trying the link in IE just causes Firefox to launch, at which point Firefox puts up the security warning about external applications. Guess it's only XP and earlier that can trigger an unprompted launch.

Re:

[SEMW]

Turn UAC back on. Protected mode is part of UAC privilege level seperation, and won't work if you have UAC turned off.

Re:

[Anonymous Coward]

"virii" is not a word. It's viruses.

http://en.wikipedia.org/wiki/Virii [wikipedia.org]

Doesn't work with Firefox 1.5.x.x

[Fluffy Bunnies]

In case anyone was wondering. Seems like skipping version 2 was a good choice after all.

Free Diease. Now pay for the Cure.

[BillGatesLoveChild]

Firefox hasn't released a fix for this, and there is no mention of it on their web site.

Now this blows:

http://secunia.com/advisories/25984/ [secunia.com]
> Solution:
> Do not browse untrusted sites.
> Disable the "Firefox URL" URI handler.

The first is impractical. The second begs the question, "Sure, How?" Read on:

> Extended Solution:
> The "Extended Solution" section is available for Secunia customers only.
> Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.

So these guys are publishing zero day security flaws, then making you reach for your credit card. Very grubby.

The CNET article doesn't tell you what the fix is either. Google has nothing. Anyone?

Here's how...

[mario_grgic]

Open Windows Exporer (not Internet Explorer) and from the Tools menu select "Folder Options" menu. On the dialog that appears select the "File Types" tab.

Now in the list of registered file types find the one that says:

"(NONE)" for extension and "Firefox URL" for file type

Select it and click on delete button to delete it.
Click on "OK" to close the "Folder Options" dialog.

Re:

[BillGatesLoveChild]

Thanks very much! Was a little different when I got there, but this seemed to do it: The [Delete] button was greyed out for some reason my PC(!?), so selected it anyway, click [Advanced], [Remove], Sure? [yes]. The entry stays there, but now typeing firefoxurl://slashdot.org in IE says "No Program is associated with this".

Re:

[Tolkien]

Never mind, spoke too quickly and misunderstood.

Re:

[mario_grgic]

I did this on XP as well. You can always remove the FirefoxURL entry from the registry located at

HKEY_CLASSES_ROOT\FirefoxURL

So, go to start Run, type regedit and navigate to this key. Right click on it and choose Delete.

Of course you could also export the entry and save it in a .reg file, should you ever want to put it back.

To put it back, just double click on the .reg file you saved.

Re:

[David_W]

Disable the "Firefox URL" URI handler.

[This] begs the question, "Sure, How?"

URI handlers are stored under HKCR in the registry. If you rename or remove HKCR\FirefoxURL it should disable the handler. Note that I have no idea what other impact doing that would have.

Here's the solution

[SkiifGeek]

Well, there is always:
http://www.beskerming.com/security/2007/07/11/35/F irefox_-_Remote_hacker_automatic_control [beskerming.com]

The solution is in there, along with the report. Even when disclosing content that is extremely time sensitive, that information will always be available from our site.

IE problem, but also Firefox problem.

[The MAZZTer]

Firefox will warn you if a program tries to use other protocols. It will allow you to suppress the warning, however, which can cause the same problem as IE, but at least you can't say you weren't warned. So from this POV, it is IE's problem moreso than Firefox's, especially when it's considered that the URLs can't do anything from WITHIN Firefox, and that (I haven't checked this, just heard it somewhere) the protocol was requested by MS for some Vista compatibility thing or some such nonsense. Not sure if there's anything to that.

However, on the flip side, anyone who implements a protocol needs to be aware any web page can invoke the protocol at will, without the consent of the user (well, thanks to IE's "standards"). This results in being able to do things like this [mzzt.net]. This webpage redirects the browser to steam://open/main, which will open the main Steam window. The user never sees the actual url. This could work with the firefoxurl protocol as well. Here are some other things that can be done [valvesoftware.com], some of the uglier ones have confirmation screens I believe, but launching a game or connecting to a server does not. Note the first one which promises that it can redirect command line arguments, just like firefoxurl... however I cannot get that to work (I tried -shutdown and it just focused the main window like my current sample does). Also note the hackish steam://openurl/, which is designed to allow Steam's built-in IE browser to invoke the computer's default browser. Theoretically this could be used to bypass a popup blocker.

Of course it would appear that Steam at least can't run arbitrary programs and is limited to it's own folder in terms of effects (I could force you to join my UBER LAME COUNTER STRIKE SERVER but that's about it).

I think both Microsoft and Mozilla need to take steps to fix this problem. Microsoft needs to improve external protocol handling to at least what Firefox does (Firefox could even secure its own handling more, but that might detract too much from the flexibility. Not that that's stopped anybody before). Mozilla should remove this silly firefoxurl bit. I can't think of any legitimate reason for it (anyone have any clue?).

As for Valve with Steam... steam://openurl/ is a bit much I think. It's expected for users who don't know what MSHTML or ActiveX are to think it's a bug that external windows open in IE, but us devs know that, internally, IE is just spawning a new window for a page. Since when were you browsing the web in IE and click on a link and it popped open in Firefox? I wouldn't want that to happen if I preferred IE! (Yeah... firefoxurl is definitely useless.) I mean, can't Valve say that because Steam uses Internet Explorer internally for the Store, all launched webpages will appear in Internet Explorer and there's no way around it? Eh probably not. The technically inclined probably think everything is great now and wouldn't care if anyone told them Valve used a hackish and possibly unsafe solution.

Although at the least they could use a whitelist for urls to use for openurl... IE steampowered.com and whatever other sites they link to... although considering the number of third party games being added it could be a largish list. :(

Perhaps steam could kick the steam:// thing entirely, but the only alternative I can think of is an Internet Explorer BHO (ick, not worth the trouble IMO), unless they can do something fancy with javascript or java or flash or something.

Here's a bonus for reading all this: You can see what available protocols Windows / Internet Explorer can use (Firefox too, although it has its own extras like about: and data:) by checking HKEY_CLASSES_ROOT in regedit. Search for Values with the exact name of "URL Protocol" and the keys you find (or maybe it's in the default value?) are the protocol names. With a look it can be easy to figure out how

Re:

[ikkonoishi]

If you have mIRC you probally also have IRC://.

Like so. [irc]

Re:IE problem, but also Firefox problem.

[BZ]

> I can't think of any legitimate reason for it

It's a protocol scheme Windows makes up based on the registry keys Firefox has to set to get things like http: associated with it.

To be more precise, what Firefox does is:

    register HKLM/SOFTWARE/Classes/FirefoxURL with a shell/open/command
    subkey and then set the values of ftp, gopher, http, and https to
    FirefoxURL under HKLM/SOFTWARE/Clients/StartMenuInternet/FIREFOX.EX E/Capabilities/URLAssociations

This causes Windows to send "firefoxurl:" URLs to Firefox.

Not much to remove here on Mozilla's end.

Re:

[Cheesey]

his webpage redirects the browser to steam://open/main, which will open the main Steam window. The user never sees the actual url... some of the uglier ones have confirmation screens I believe, but launching a game or connecting to a server does not.

It really bothers me that a Steam game server (e.g. for CS:S) can force your computer to open any webpage as soon as it connects. This is used by some CS:S admins to make welcome screens with persistent scoreboards. But an Internet Explorer widget is used, and t

Requires firefox to exploit from IE

[Heathhunnicutt-enwik]

The fact is that the URI handler firefoxurl:// is installed by.... Firefox.

In other words, IE is redirecting to the firefoxurl DLL or EXE installed by Firefox, and that is the code which is executing user input without warning.

To me it seems disingenuous to blame the IE implementation for handing control to the Firefox protocol handler, which is treated like a shell plug-in. It seems the responsibility to prompt the user should rest on the protocol handler. Otherwise, IE would be expected to prompt

What earthly use is "firefoxurl" anyway?!

[_xeno_]

After reading about "firefoxurl" and what it does, I only have one simple question: what on earth were they thinking when they implemented it? What's it supposed to be useful for?

As far as I can tell, the only use it could possibly have is creating desktop URLs that always open in Firefox, however there's no reason why they would have to create a URL handler to do that. Otherwise, it's completely worthless and, as discovered, a security risk, to boot.

For added fun, attempting to use a "firefoxurl" URL while Firefox is already running creates an infinite loop. (It just keeps on asking you to allow an "external application" to launch. It doesn't even seem to actually work. I get the same results when launching it directly from IE through the address bar.)

Why was this implemented? What was it supposed to do?

And, for bonus points, is it possible to write a firefoxurl that, when opened in IE, would unregister the firefoxurl handler?

Re:

[schweini]

Without actually looking it up, I'd guess this feature is useful for example if you develop XUL-based applications and the like. You could then link to the XUL application on your website, and IE (if you're using it to browse the site) would open the application in FF.

Re:What earthly use is "firefoxurl" anyway?!

[_xeno_]

Except that's still retarded, since it's by definition a remotely executable code exploit. URLs don't have to be loaded by users, and in some cases, can even be loaded without any user interaction. (<meta http-equiv="Refresh"> comes to mind, although I haven't gotten the exploit to work on my system yet).

XUL applications have access to basically everything on the system. You know how you can launch files from the Firefox's Downloads window? There's nothing that prevents a skeleton XUL application from downloading a EXE and then launching it with no user interaction. The dialog that Firefox displays when launching executables is handled by the download dialog, there's nothing that requires it be displayed. (I've written an extension that launched a Windows Control Panel applet before, trust me that there's nothing really preventing XUL applications from being nasty.)

So I'm still left wondering, what was this intended for, and who thought it was a good idea?

Re:

[BZ]

> what on earth were they thinking when they implemented it?

They didn't implement it. It's a protocol Windows made up based on the names of the registry keys Firefox set to get http: URIs to open in it.

Firefox's Fault?

[DavidD_CA]

Here's the meat of the article:

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// [ftp] http:/// [http] or similar would call other applications."

But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.

An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.

I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?

If Windows/IE were to filter what can and cannot happen through URI handlers, I could see developers crying foul for preventing access and locking out competition.

Further, is the onus now on Microsoft to fix a hole created by Firefox? And once they fix it, and legit things break because of it, who's fault will that be?

Re:

[Vexorian]

I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?

hmm, hell yeah? Why allow such things like letting an installer create a whole protocol anyways ? It looks like the whole idea of letting that happen is pretty lame...

Re:

[DavidD_CA]

Here's why:

http://en.wikipedia.org/wiki/URI_scheme [wikipedia.org]

Apparently a Firefox developer thought it was a good idea, too.

Re:Firefox's Fault?

[BZ]

> I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer

Firefox set up the http: protocol and such to launch it. Windows synthesizes a new URI scheme based on the registry key name used for this and associates this made-up scheme with Firefox. Not much Firefox can do about this Windows "feature".

Re:

[_xeno_]

I just checked. On my system, FirefoxURL is completely stand-alone - it's does one thing, and one thing only, and that's this security hole. It does nothing else. It's not referred to by HTTP or HTTPS (both are currently set to open with Internet Explorer). In fact, it's not referred to by anything at all.

This is with a Firefox 2.0.0.4 install - never upgraded, a straight 2.0.0.4 install. If it's supposed to set Firefox to open with HTTP or HTTPS URLs, Firefox screwed it up, because it doesn't.

I read the headline....

[Actually, I do RTFA]

And thought, first my girlfriend, now firefox. I'll see a doctor about it, just stop complaining. You're just giving me performance anxiety.

Highlighting phishing sites is nice, but weak

[Animats]

Just highlighting domains of phishing sites isn't going to be enough. Here's today's list of domains that "sort of look like Paypal". These are after subdomain truncation.
"paypal-checker.com"
"paypal-contact.net"
"paypal-customize.com"
"paypal-erreur2.com"
"paypal-security.com"
"paypal-web-dll-scrnupdateaccount.ici.st"
"paypal-web-scrn-dll-pl-dai-pl-webscrndllfs-wertyu i.ork.pl"
"paypal.powered.at"
"paypal.q.fm"
"paypalaccverify.com"
"paypalcomcgibinwebscrcmd.by.ru"
"paypalcomcgibinwebscrcmm.by.ru"
"paypalcomcgibinwebscre.by.ru"
"paypalconstomers.com"
"paypalct.com"
"paypall.ro"
"paypalmd.com"
"paypalobjects.us"
"paypalsecuritycenter.org"
"paypalverification.org"
"paypel-acc-5.com"
"paypilpal.com"
"paypll-wscr.com"
"paypluspl.com"

These are from PhishTank, which blacklists at the URL level based on manual reports. For SiteTruth" [sitetruth.com], we're in the process of converting to blacklisting phishing sites by the entire base domain. That's because we now see hundreds of entries like "session-624333.nationalcity.com.userpro.tw", which has to be treated as a bad indicator for all of "userpro.tw".

There's collateral damage. There are days when "tinyurl.com" and "notlong.com" get blacklisted, because phishing sites use them. MSN gets complaints about this. [msdn.com] Today, anybody running something like "tinyurl" needs to continually check the phishing databases for attempts to abuse their service, or their own reputation is toast.

Solution for phishing: two-way login.

[master_p]

There is a solution for avoiding phishing: two-way login. Not only the user logs into a site, but the site submits a password to the user during the login sequence. The 2nd password is created during registration. If a site fails to submit the correct password to the user, then it's clearly a phishing site, even if the url is the same.

Re:

[Random832]

That is a step-by-step recipe for the perfect man-in-the-middle vulnerability.

You give your password, He gives your bank your password, The bank gives him its password, He gives you the bank's password

Whats the fuss about?

[cybergen007]

I do not get waht the fuss is all about. If firefox is started from IE that has to ring a bell. Second I get a warning from Firefox that it wants to start an external application and I can click no and nothing happens. I have never before seen that question from firefox so I have run into a website that uses this vulnerability. Beside this happens when you are surfing using IE. If you surf using IE then you are asking for problems in the first place.

Re:Ok....

[bhtooefr]

There are some sites that don't work with Firefox.

Hell, I've got Firefox on my WIndows system (but Opera is my main browser,) and I usually end up using IE for some sites.

So do I. For ones I absolutely have to trust.

[khasim]

Normally, I'm surfing with Firefox and NoScript and AdBlock and ....

It keeps me safe.

If a site doesn't work with that, then fuck them. I only need IE for some work related sites that have stupid ActiveX controls.

Mod up

[Bearhouse]

If the lame 'I use Opera post...' gets a 5, then so should yours! I should imagine that most users here do NOT use IE as their default browser, and if using Firefox, have it loaded up with Adblock, Noscript, phishtank...as do I

Re:

[AuMatar]

What sites are those? I haven't come across a site that didn't work in Mozilla in 3 or 4 years.

Re:

[jshriverWVU]

Yes QA testers. Or people who don't really pay attention and use Firefox normally. But when an app or email says "click this link" and IE is the default browser if pops up.

Re:

[deepestblue]

In fact, this is my primary usage model. I use IE 7.0 for most general browsing since it's "good enough" and it's actually more reliable than FF (crashes less often). But Firefox tabs are just way faster (actually, it's the other way around - IE tabs are horrendously slow). So for my morning-news scenario, I launch my RSS aggregator through FF and middle-click away.

Re: Firefox crashes

[bunratty]

Firefox crashes for you? Read the MozillaZine Knowledge Base article about Firefox crashes [mozillazine.org] and you can probably fix your problem.

Re:

[SEMW]

If IE tabs are too slow (which they are) and Firefox crashes too often (which it does); have you tried Opera? Best of both worlds.

Re:

[wile_e_wonka]

I could imagine web developers in the position you describe--especially old ones who are used to using IE. They still keep FF on hand to check compatability.

As for myself (I am not a web developer) I have FF installed but don't usually use it--I primarily use Opera.

Re:Kdawson...

[Farmer Tim]

That's the new text format randomizer , w'hic'h optionall'y add's inap'propriate a'p'o's' t'r'o'p'h'i'es .

It was added a couple of months ago to settle a bet whether Slashdot's editors are better than a random number generator (as yet no winner has been declared).

Re:

[StikyPad]

as yet no winner has been declared

That's only because some newb thinks dupes are evidence of a nonrandom event.

Re:

[wile_e_wonka]

I'm not sure this wouldn't work on Opera if written specificaly for it (which does still reveal a benefit of Opera--people don't usually think to write code exploiting Opera. It just isn't economical to do so). The reason I say this is because, when I click on the link above, Opera asks if it can open FF. This does not end up being detrimental because then I just end up with FF asking me if it can open FF (instead of asking to open cmd.exe). However, if the exploit were written for Opera, then I imagine

Re:

[SEMW]

opera looks somehow whacked up when installed on my ubuntu feisty.. must be the font or something????

Have you installed the msttcorefonts package (Automatix installs it, I think, and it's in ubuntu-restricted-extras)?

If so, that may be the problem. The MS fonts just don't render well in Opera on Ubuntu. Arial seems to render incredibly squashed and compressed; and Verdana, by contrast, seems abnormally horizontally stretched, compared to how they render in Windows. None of the fonts seem to be getting antialiased properly when subpixel rendering is turned on. (This is all with hinting set to 'full'; t

Re:

[Kalriath]

No.

Re:

[doti]

I heard, directly from the Mozilla guys (Asa and J.T.), that there's a plan to create a Javascript 2 that, combined with SVG, would replace Flash. The strange part is that Adobe itself is taking part of this process.

Re:

[Goaway]

Yes, yes, we know you're still stuck in 1995 when it was cool to hate JavaScript.

The rest of us realize it's actually one of the better languages in use today.