Related Security Issue in URL Protocol Handling on Windows

Window Snyder

36

On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application receiving the bad data.

Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.

We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now.

We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process.

For more information: https://bugzilla.mozilla.org/show_bug.cgi?id=389106

36 responses

  1. Pingback from [SSD] Security & Development Blog » Insisto: grave riesgo amenaza a usuarios de Firefox en Windows XP on :

    […] Related Security Issue in URL Protocol Handling on Windows [Mozilla Security Blog]. […]

  2. asdf wrote on :

    Both Microsoft and Mozilla are wrong on this one.

    Microsoft either:

    1. Should have used an array of strings as opposed to a single string for CreateProcess and WinMain.
    2. Should have written ShellExecute a less naive way that validates the format string and takes an array of strings instead of a string for parameters to do things the argc/argv way.
    3. Shouldn’t have used ShellExecute for url handlers.

    Given the above situation, it’s my opinion that IE is doing the correct thing and that Mozilla is doing the incorrect thing by trying to do things based on argc/argv instead of GetCommandLine because:

    1. The ShellExecute way has 10+ years of precedence.
    2. The ShellExecute way of URL handlers has been documented forever and “fixing” this would break some apps.
    3. If Firefox tries to do it the argc/argv way, there will be a hodgepodge of programs that read the documentation and did it the IE way and others that expect the command line to work the argc/argv way. That would be an even bigger nightmare than we have now.
    4. Trying to tack on the argc/argv way given the above model is lossy and will lead to multiple escaping/unescaping which breaks the preservation recommendation in rfc3986.

  3. Pingback from Mozilla Security Blog » Blog Archives » Firefox 2.0.0.6 now available on :

    […] Related Security Issue in URL Protocol Handling on Windows […]

  4. Pingback from Firefox 2.0.0.6 now available · Get Latest Mozilla Firefox Browsers on :

    […] just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external […]

  5. Pingback from Mozilla rushes out second Firefox patch this month on :

    […] just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in a blog posting . “We should have caught this […]

  6. Pingback from Mozilla Rushes Out Another Firefox Patch « TechTitans™ on :

    […] was just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in ablog posting. “We should have caught this […]

  7. Pingback from Firefox 2.0.0.6 - Yes, it’s Another Update - CyberNet News on :

    […] To the surprise of the Mozilla team, Firefox (prior to 2.0.0.6) was capable of doing the exact same thing that Internet Explorer was criticized for. A hacker could use Firefox to launch another application, and possibly run malicious instructions. Now there is even some speculation that the bug is not even the fault of the browser, but is actually a flaw in Windows. Man, I can’t remember the last time that no one would take responsibility for a security-related bug like this. Pretty soon they’ll probably be blaming the clock in the System tray for it. […]

  8. Pingback from Mozilla Firefox 2.0.0.6 Released · Get Latest Mozilla Firefox Browsers on :

    […] been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that “defense in depth is the best way to protect people” (although that weblog […]

  9. Pingback from Mozilla Firefox v2.0.0.6 is available on :

    […] have just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external […]

  10. Pingback from Mozilla Firefox v2.0.0.6 is available on :

    […] just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external […]

  11. Pingback from Mozilla Firefox 2.0.0.6 Released on :

    […] been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that “defense in depth is the best way to protect people” (although that weblog […]

  12. Pingback from Official Blog for Goviphosting.com » Mozilla rushes out second Firefox patch this month on :

    […] just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in a blog posting. “We should have caught this […]

  13. zend wrote on :

    A hacker could use Firefox to launch another application, and possibly run malicious instructions. Now there is even some speculation that the bug is not even the fault of the browser, but is actually a flaw in Windows. Man, I can’t remember the last time that no one would take responsibility for a security-related bug like this.

  14. Cleocin wrote on :

    been hypocritical not to fix the similar issue in Firefox. The Mozilla Security Blog post about the URL protocol handling flaw states that “defense in depth is the best way to protect people” (although that weblog

  15. Andrea wrote on :

    I use IE on my personal computer but Firefox is common on the PCs at the internet cafes here in Prague. Many hotels also use Firefox as the browser of choice on their computers reserved for guests.

    It’s my estimation that a problem occurring on both browsers on Microsoft should be fixed before we all chuck it and switch to those cool Apples that have just come out. Yeah!

  16. Day Spring Center wrote on :

    I think this is a good blog & this information is very helpful & My site Christian counseling is about counseling in Dallas, Palno, Richardson.

More comments: 1 2