Security Issue in URL Protocol Handling on Windows

Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.

Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.

A similar interaction between Safari and Firefox was reported earlier and fixed by Apple. According to Ryan Naraine at ZDNet, Microsoft is not planning to release a patch at this time.

Mozilla believes in defense in depth and will be patching Firefox in the upcoming release to mitigate the problem. This will prevent IE from sending Firefox malicious data. Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.

It is important to note that if you are using Firefox to browse the web you *are not* vulnerable to this attack. While we have seen no evidence of attackers exploiting this issue, there is proof of concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown websites.

We appreciate the work of the security researchers who identified this issue and the thousands of Mozilla community members who test patches and enable us to ship fixes so quickly. Mozilla is committed to identifying, prioritizing and fixing bugs to deliver the safest online experience for its users. We fix all bugs with any security risk as part of our commitment to security.

24 comments on “Security Issue in URL Protocol Handling on Windows”

  1. Ping from Clicking links on desktop gives an error in Firefox 2 « Tech Help on

    […] details the problem as well in different […]

  2. Sally Tarbell wrote on

    Can this problem be reproduced on Sun SOLARIS?

  3. What is a URL? wrote on

    Sally Tarbell, it is a Windows vulnerability. Not Firefox/Mozilla. So SOLARIS is safe.

  4. Azizi wrote on

    I would like to express my deep appreciation for what you are doing for the people all around the world to help them to being able of communicate with each other
    As a member I want to say I am so glad that I am a member in the best of the best Internet Browser in the world.
    As well as I need your help for same problem which I have
    For example I want to be security my I-P and passing filtering Sites by V-P-N software but I don’t know how I do can do it.
    Finally I wish for all Mozilla Firefox personals to be happy and lucky and healthy that thy are working everywhere
    Waiting for your kind response
    Best regards,

More comments: 1 2