Related Security Issue in URL Protocol Handling on Windows

Window Snyder

36

On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application receiving the bad data.

Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.

We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now.

We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process.

For more information: https://bugzilla.mozilla.org/show_bug.cgi?id=389106

36 responses

  1. Pingback from University Update - Firefox - Permanent Link to Related Security Issue in URL Protocol Handling on Windows on ::

    [...] Link to Article firefox Permanent Link to Related Security Issue in URL Protocol Handling on Windows [...]

  2. Pingback from » Mozilla caught napping on URL protocol handling flaw | Ryan Naraine’s Zero Day | ZDNet.com on ::

    [...] security chief Window Snyder has fessed up to the gaffe exposed by Johansson: Over the weekend, we learned about a new scenario that identifies ways that [...]

  3. Aaron Margosis wrote on ::

    I think Alun Jones hits the nail right on the head in this item:

    http://msmvps.com/blogs/alunj/archive/2007/07/22/firefoxurl-url-vulnerability.aspx

    and in his comment here regarding the C/C++ argument point:

    http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx#6570

  4. Pingback from Window Snyder fesses up - Firefox also passes "bad data" - Spyware Sucks on ::

    [...] Quote source:  http://blog.mozilla.org/security/2007/07/23/related-security-issue-in-url-protocol-handling-on-windo… [...]

  5. Pingback from XoftSpy SE Antispyware » Blog Archive » Window Snyder fesses up - Firefox also passes “bad data” on ::

    [...] Quote source:  http://blog.mozilla.org/security/2007/07/23/related-security-issue-in-url-protocol-handling-on-windo… [...]

  6. Pingback from Firefox could also be used as the entry point | GNUCITIZEN on ::

    [...] Mozilla Security Blog [...]

  7. Giorgio Maone wrote on ::

    Bug 389106 is already fixed, big kudos for biesi and the other moz devs!

    While we’re waiting for Firefox 2.0.0.6 to ship, NoScript users can enjoy an early fix: http://noscript.net/getit#direct

  8. Pingback from IE’s unescaped URLs vulnerability also present in Firefox : Mozilla Links on ::

    [...] Chief Security Officer, Window Snyder, has announced that Firefox could be used as an entry point to perform certain kinds of computer attacks in the [...]

  9. Pingback from YouTube Elevates Top Users to Partners - BlogStuffPro.com on ::

    [...] Related Security Issue in URL Protocol Handling on WindowsOn July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application receiving the bad data. Over the weekend, we learned about… [...]

  10. Pingback from IE’s unescaped URLs vulnerability also present in Firefox · Get Latest Mozilla Firefox Browsers on ::

    [...] URLs vulnerability also present in Firefox Mozilla Chief Security Officer, Window Snyder, has announced that Firefox could be used as an entry point to perform certain kinds of computer attacks in the [...]

  11. Bill Feagin wrote on :

    I just got an automatic update from Firefox that needed to be installed. Half way through the installation, it quit saying that my current security settings did not permit me to install the updates. The program was so hung up that I had to uninstall Fire Fox all together. When I tried to reinstall Fire Fox, I got the same message saying that my current security set up did not allow me to install Fire Fox. How do I fix this ? Bill

  12. Pingback from Mozilla: Firefox is flawed just like IE on ::

    [...] a new scenario that identifies ways that Firefox could also be used as the entry point,” said Window Snyder of Mozilla. “While browsing with Firefox, a specially crafted URL could potentially be used [...]

  13. Pingback from Mozilla Admits Firefox Has Same Flaw as IE | CTF Blog on ::

    [...] a new scenario that identifies ways that Firefox could also be used as the entry point,” said Window Snyder of Mozilla. “While browsing with Firefox, a specially crafted URL could potentially be used [...]

  14. Pingback from Techzi » Blog Archive » Mozilla: Firefox is flawed just like IE on ::

    [...] a new scenario that identifies ways that Firefox could also be used as the entry point,” said Window Snyder of Mozilla. “While browsing with Firefox, a specially crafted URL could potentially be used [...]

  15. Pingback from Be:Fox » La faille critique d’exploitation du protocole URL n’est pas totalement corrigée on ::

    [...] 2.0.0.5 de Firefox, censée corriger 8 failles dont certaines avaient été jugées critiques. Sur le blog de Window Snyder, une huile de la sécurité chez Mozilla, on peut lire qu’un « nouveau scénario révèle [...]

  16. Blackstorm wrote on ::

    My apologies for the previous comment about the delay of moderation… I think, anyway that the solution lie only in a redefinition of firefoxurl URI handler… actually the quotes can be used to create bad formed url, no matter what patches you release…

  17. Pingback from Firefox: Nuove Falle, ed Imbarazzo « Simply Security on ::

    [...] quanto riguarda il problema della vulnerabilità nella gestione dei protocolli URL, su Mozilla Security Blog, Window Snyder, a capo della security strategy presso Mozilla Corporation, ha reso noto che [...]

  18. Pingback from Attack of the URL Vulnerabilities | GNUCITIZEN on ::

    [...] that has been recently discussed on multiple blogs including GC (us), Thor Larholm’s blog, Mozilla’s Security Blog, the 0×000000 hack zine and Billy (BK) Rios‘ personal blog. This time, the bug is [...]

  19. Pingback from It takes courage to admit your product is insecure | Security Insider on ::

    [...] to Mozzila’s chief security officer, Window Snyder (yes, that’s his real name), who wrote on this blog recently that Firefox was at least partly to blame for a vulnerability that affected Microsoft’s [...]

  20. Pingback from Messy URL protocol-handling drama finally winding down — Security Bytes on ::

    [...] agreed that there was an issue with IE, Mozilla has come to the same conclusion, saying that Firefox also has a problem. Mozilla’s security team, headed by Window Snyder, is investigating the issue now, Snyder [...]

  21. Pingback from [SSD] Security & Development Blog » Insisto: grave riesgo amenaza a usuarios de Firefox en Windows XP on ::

    [...] Related Security Issue in URL Protocol Handling on Windows [Mozilla Security Blog]. [...]

  22. asdf wrote on :

    Both Microsoft and Mozilla are wrong on this one.

    Microsoft either:

    1. Should have used an array of strings as opposed to a single string for CreateProcess and WinMain.
    2. Should have written ShellExecute a less naive way that validates the format string and takes an array of strings instead of a string for parameters to do things the argc/argv way.
    3. Shouldn’t have used ShellExecute for url handlers.

    Given the above situation, it’s my opinion that IE is doing the correct thing and that Mozilla is doing the incorrect thing by trying to do things based on argc/argv instead of GetCommandLine because:

    1. The ShellExecute way has 10+ years of precedence.
    2. The ShellExecute way of URL handlers has been documented forever and “fixing” this would break some apps.
    3. If Firefox tries to do it the argc/argv way, there will be a hodgepodge of programs that read the documentation and did it the IE way and others that expect the command line to work the argc/argv way. That would be an even bigger nightmare than we have now.
    4. Trying to tack on the argc/argv way given the above model is lossy and will lead to multiple escaping/unescaping which breaks the preservation recommendation in rfc3986.

  23. Pingback from Mozilla Security Blog » Blog Archives » Firefox 2.0.0.6 now available on ::

    [...] Related Security Issue in URL Protocol Handling on Windows [...]

  24. Pingback from Firefox 2.0.0.6 now available · Get Latest Mozilla Firefox Browsers on ::

    [...] just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external [...]

  25. Pingback from Mozilla rushes out second Firefox patch this month on ::

    [...] just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in a blog posting . “We should have caught this [...]

  26. Pingback from Mozilla Rushes Out Another Firefox Patch « TechTitans™ on ::

    [...] was just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in ablog posting. “We should have caught this [...]

  27. Pingback from Firefox 2.0.0.6 - Yes, it’s Another Update - CyberNet News on ::

    [...] To the surprise of the Mozilla team, Firefox (prior to 2.0.0.6) was capable of doing the exact same thing that Internet Explorer was criticized for. A hacker could use Firefox to launch another application, and possibly run malicious instructions. Now there is even some speculation that the bug is not even the fault of the browser, but is actually a flaw in Windows. Man, I can’t remember the last time that no one would take responsibility for a security-related bug like this. Pretty soon they’ll probably be blaming the clock in the System tray for it. [...]

  28. Pingback from Mozilla Firefox 2.0.0.6 Released · Get Latest Mozilla Firefox Browsers on ::

    [...] been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that “defense in depth is the best way to protect people” (although that weblog [...]

  29. Pingback from Mozilla Firefox v2.0.0.6 is available on ::

    [...] have just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external [...]

  30. Pingback from Mozilla Firefox v2.0.0.6 is available on ::

    [...] just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external [...]

  31. Pingback from Mozilla Firefox 2.0.0.6 Released on ::

    [...] been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that “defense in depth is the best way to protect people” (although that weblog [...]

  32. Pingback from Official Blog for Goviphosting.com » Mozilla rushes out second Firefox patch this month on ::

    [...] just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in a blog posting. “We should have caught this [...]

  33. zend wrote on ::

    A hacker could use Firefox to launch another application, and possibly run malicious instructions. Now there is even some speculation that the bug is not even the fault of the browser, but is actually a flaw in Windows. Man, I can’t remember the last time that no one would take responsibility for a security-related bug like this.

  34. Cleocin wrote on ::

    been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that “defense in depth is the best way to protect people” (although that weblog

  35. Andrea wrote on ::

    I use IE on my personal computer but Firefox is common on the PCs at the internet cafes here in Prague. Many hotels also use Firefox as the browser of choice on their computers reserved for guests.

    It’s my estimation that a problem occurring on both browsers on Microsoft should be fixed before we all chuck it and switch to those cool Apples that have just come out. Yeah!

  36. Day Spring Center wrote on ::

    I think this is a good blog & this information is very helpful & My site Christian counseling is about counseling in Dallas, Palno, Richardson.