Security Issue in URL Protocol Handling on Windows

Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.

Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.

A similar interaction between Safari and Firefox was reported earlier and fixed by Apple. According to Ryan Naraine at ZDNet, Microsoft is not planning to release a patch at this time.

Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to mitigate the problem. This will prevent IE from sending Firefox malicious data. Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.

It is important to note that if you are using Firefox to browse the web you *are not* vulnerable to this attack. While we have seen no evidence of attackers exploiting this issue, there is proof of concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown websites.

We appreciate the work of the security researchers who identified this issue and the thousands of Mozilla community members who test patches and enable us to ship fixes so quickly. Mozilla is committed to identifying, prioritizing and fixing bugs to deliver the safest online experience for its users. We fix all bugs with any security risk as part of our commitment to security.

24 comments on “Security Issue in URL Protocol Handling on Windows”

  1. Ping from University Update - Firefox - Permanent Link to Security Issue in URL Protocol Handling on Windows on

    […] Link to Article firefox Permanent Link to Security Issue in URL Protocol Handling on Windows » […]

  2. Giorgio Maone wrote on

    It’s worth noticing that Firefox users with NoScript installed have been already protected both from MacManus/Larholm remote code execution and from Rios “Universal XSS” since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622

    More in general, they’re protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm’s PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios’ PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means.

  3. Ping from » Microsoft should block that IE > Firefox attack vector | Zero Day | ZDNet.com on

    […] Snyder, in a follow-up blog entry, spells it out clearly. Any Windows application that calls a registered URL protocol without […]

  4. Ping from Blitz - Stiri zilnice din IT, IT&C: tehnologie, internet, telecom, gadgets, jocuri » Stiri IT - Blitz RO » Vulnerabilitate de browser, dar a cui e vina? on

    […] pare sa se aplice in aceasta situatie. Window Snyder, sefa diviziei de securitate de la Mozilla, a afirmat ca dezvoltatorii Mozilla vor crea un patch astfel incat Firefox sa nu mai accepte orice fel de date […]

  5. Ping from Bloggers fixate on Google security moves — Security Bytes on

    […] Since I posted that, Mozilla security chief Window Snyder has sounded off about the flaw in her blog. […]

  6. Ping from homeathk.net » 研究人員發現透過IE影響Firefox的怪異漏洞 on

    […] Mozilla的官方部落格中說明,當使用者透過IE瀏覽一個惡意網站並點選了一惡意連結,就可能透過IE中的命令列啟動其他的視窗應用程式,而且會將惡意資訊傳遞到其他視窗應用程式中,如果該惡意連結讓IE啟動的是Firefox,那麼駭客就能在遠端於Firefox中執行任意程式。 […]

  7. Charles Burnaford wrote on

    Can the problem be reproduced on Linux?

  8. Ping from Firebug - Network Tools Network Monitoring Network Administration Network Diagnostics News Reviews Interviews » A serious browser vulnerability, but whose? on

    […] but failure being an orphan seems fitting here. Window Snyder, who heads security at Mozilla, wrote that Mozilla developers will patch Firefox so it no longer accepts bad data from IE. But she […]

  9. Ping from FreeSoftNews » Blog Archive » Fedora Weekly News Issue 96 on

    […] http://blog.mozilla.org/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/ […]

  10. Ping from [EU/CH] Risiken und Nebenwirkungen: Firefox rei on

    […] nicht

  11. Trackback from Internet Explorer security flaw affects Firefox... on

    Internet Explorer security flaw affects Firefox…

    I was perusing Information Week as I often visit them due to the wealth of topics when I came across this. If you have both Internet Explorer and Mozilla Firefox on your computer, you could be at risk for a URL flaw caused by Internet Explorer passing…

  12. Ping from Mozilla Security Blog » Blog Archives » Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5 on

    […] Security Issue in URL Protocol Handling on Windows […]

  13. Ping from Update your Firefox!! | Razor Consulting on

    […] http://blog.mozilla.org/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/ http://secunia.com/advisories/25984/ http://www.securityfocus.com/bid/24837 […]

  14. Ping from homeathk.net » Mozilla修補Firefox漏洞 on

    […] Mozilla之前在官方部落格中說明該漏洞,指出當使用者透過IE瀏覽惡意網站並點選惡意連結,就可能透過IE中的命令列啟動其他的視窗應用程式,而且會將惡意資訊傳遞到其他視窗應用程式中,如果該惡意連結讓IE啟動的是Firefox,那麼駭客就能在遠端於Firefox中執行任意程式。 […]

  15. Ping from Mozilla Security Blog » Blog Archives » Related Security Issue in URL Protocol Handling on Windows on

    […] Security Issue in URL Protocol Handling on Windows […]

  16. Ping from Related Security Issue in URL Protocol Handling on Windows · Get Latest Mozilla Firefox Browsers on

    […] Security Issue in URL Protocol Handling on Windows On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application […]

  17. Ping from .: Daniel Melanchthon :. : Man zeigt nicht mit dem Finger auf andere Leute on

    […] Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to… […]

  18. Firefox wrote on

    Can the problem be reproduced on Linux?
    yes!!!

  19. Ping from Larholm.com - Me, myself and I » Handling URL protocol handlers on

    […] protocol handlers. Jesper Johanson has expressed his thoughts, as has David LeBlanc, Billy Rios, Window Snyder and pdp. Billy Rios just detailed yet another potential attack vector for protocol […]

  20. Ping from Exchangepedia Blog - » FireFox 2.0.0.6: Mozilla fixes the IE security hole that wasn't on

    […] 10: Mozilla’s head of Security Strategy Window Snyder writes: “Today security firm Secunia released an advisory on a security issue found (apparently) […]

  21. Ping from Clicking links on desktop gives an error in Firefox 2 « Tech Help on

    […] details the problem as well in different […]

  22. Sally Tarbell wrote on

    Can this problem be reproduced on Sun SOLARIS?

  23. What is a URL? wrote on

    Sally Tarbell, it is a Windows vulnerability. Not Firefox/Mozilla. So SOLARIS is safe.

  24. Azizi wrote on

    I would like to express my deep appreciation for what you are doing for the people all around the world to help them to being able of communicate with each other
    As a member I want to say I am so glad that I am a member in the best of the best Internet Browser in the world.
    As well as I need your help for same problem which I have
    For example I want to be security my I-P and passing filtering Sites by V-P-N software but I don’t know how I do can do it.
    Finally I wish for all Mozilla Firefox personals to be happy and lucky and healthy that thy are working everywhere
    Waiting for your kind response
    Best regards,
    19/01/2009
    Azizi