Forgot your password?
typodupeerror
Security Internet Explorer Mozilla The Internet

Firefox and IE Still Not Getting Along 207

Posted by Zonk
from the kids-kids-kids dept.
juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"
This discussion has been archived. No new comments can be posted.

Firefox and IE Still Not Getting Along

Comments Filter:
  • No problem (Score:5, Funny)

    by Anonymous Coward on Thursday July 26, 2007 @02:36PM (#20000371)
    IE is the better browser. Just use that one.
  • by SolusSD (680489) on Thursday July 26, 2007 @02:38PM (#20000409) Homepage
    All the intertwined security problems HAVE to be caused by firefox, right? I mean-- Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.
    • by Blakey Rat (99501)
      Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

      What makes you think there's any overlap in the IE team and the Windows team? Out of curiosity. I think people who say things like this don't realize how huge Microsoft is. They have something like 70,000+ employees.
      • by SolusSD (680489)
        it isn't too much to ask for an internal programming team to know how to correctly use APIs the company developed. It *is* pathetic when they make mistakes like this. Just because they are big doesn't mean they have an excuse to be unorganized-- though having that meany employees is usually a consequence of being unorganized, and for that matter, usually makes things worse.
        • by Shados (741919)
          Im not quite sure you are aware of how much API microsoft developed... I don't think its humanly possible, honestly. And each of those APIs are quite large, and projects can touch quite a few. Learning 80% of the ones they're touching? Yes, definately. Learning 100%? Thats just not realistic.
          • by SolusSD (680489)
            Learn how to correctly use the functions of the parts of the API they're touching. YES. 100% is _not_ unrealistic.
    • Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

      If by "developing" you mean "IT'S ALIVE, IGOR!! IT'S ALIVE!!!", then, yes, I agree with you! :)
  • on my Ubuntu machine or my Mac, you insensitive clod!

    Actually, I don't have it on my XP-Pro SP2 machine I use to run Quickbooks, either.
  • Errr (Score:2, Insightful)

    To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.
    What, sort, of, sentence, is, that?!
    • Re: (Score:2, Funny)

      by GreenEnvy22 (1046790)
      I believe that would be one from the William Shatner school of grammar.
    • by snowgirl (978879)
      I thought that the sentence was generally unnecessary, also. Yes, geeks will understand it, yes slashdot is targetting geeks... but why should we be acting so damn pretencious?
    • I agree. It sounds like the users should be elucidating which URIs are superfluous, whereas it was probably intended that the author be the one doing the elucidating.
    • by andawyr (212118)
      A perfect demonstration of the incorrect usage of the comma.
      • A perfect demonstration of the incorrect usage of the comma.

        Absolutely, but it, could, be, wor,se.,, I, gues,s,.
    • Worst sentence I've read in a while, and during lunch I had to listen to a friend copyediting some weenie who routinely left out the verbs in his sentences.

      Elucidate and superfluous are dross from a word of the day calendar; the english major equivalent of e-penis. Three seperate comma seperated subclauses in the sentence. Overuse of the passive voice. The use of an uncommon acronym (URI) can perhaps be forgiven since it's Slashdot. Hyphens are hard to use well, and should NOT be used unless you know exactl
  • !Root (Score:4, Funny)

    by rustalot42684 (1055008) <fake AT account DOT com> on Thursday July 26, 2007 @02:43PM (#20000501)
    Maybe if they weren't running as root *all the time*, they wouldn't have so many problems.
  • The question of who is responsible for this vulnerability is again likely to be the subject of heated debate. In the previous cross browser vulnerability, Internet Explorer was passing crafted URLs to Firefox. In that case, the IE team denied all responsibility, stating that, "It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters." If this is the case, then it would be Microsoft rather than Mozilla who find themselves forced to make the nex

  • by supremebob (574732) <themejunky@@@geocities...com> on Thursday July 26, 2007 @02:43PM (#20000515) Journal
    I tried this on my computer, and the mailto: tag ended up getting redirected to my GMail account. Thanks, Google Toolbar!

    Once again, Google saves the day! Is there nothing that Google can't do? :)
  • Only the one at the very bottom, listed as requiring user interaction, functions in Seamokey and succeeds in launching windows calculator. The mailto: one starts Seamonkey's mail and newsgroups. All the others just bring up an address not found error page.
  • Not just Firefox. (Score:5, Informative)

    by miffo.swe (547642) <daniel DOT hedblom AT gmail DOT com> on Thursday July 26, 2007 @02:55PM (#20000685) Homepage Journal
    Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).
    • Re:Not just Firefox. (Score:5, Informative)

      by KiltedKnight (171132) * on Thursday July 26, 2007 @03:24PM (#20001051) Homepage Journal
      Based on what is said in TFA, if you pass the specially crafted URI into the Start->Run box, it will produce the same results.

      This indicates that the problem is in Windows' parsing of URIs... as stated in the article. It's the handling of the NULL (%00) byte.

      This has absolutely nothing to do with Firefox, but kudos to the Mozilla developers for trying to block the opening of null-byted URIs.

      • by griffjon (14945) <GriffJon.gmail@com> on Thursday July 26, 2007 @04:36PM (#20002105) Homepage Journal
        as stated in the article. It's the handling of the NULL (%00) byte.

        At the risk of abusing a double negative, Windows can't even do nothin' right.
  • by pla (258480) on Thursday July 26, 2007 @03:03PM (#20000787) Journal
    To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

    I can answer that one for ya - Everything that FireFox doesn't handle internally; So basically, kill everything except "http", "https", and "ftp".

    If you want to send email, open your email program and paste the address in. If you want to read newsgroups, open your newsreader and select the desired group. If you want to use some specialized protocol that requires a dedicated app anyway (like many P2P URIs), open them in the appropriate program.

    Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.
  • Kinda cool (Score:5, Insightful)

    by d3ac0n (715594) on Thursday July 26, 2007 @03:22PM (#20001015)
    Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

    For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

    snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat

  • If IE7 is to blame, then how come it isn't vulnerable to such malformed URIs? Presumably it already checks for these 0x00 characters, whereas FF didn't until 3.0a7.
    • by TheNicestGuy (1035854) on Thursday July 26, 2007 @05:11PM (#20002595)

      Because technically it's not IE7 that's broken and allowing the exploit. It's Windows' routines that route and execute arbitrary protocol requests. It goes like this:

      User clicks an email link, which starts with "mailto:" instead of "http:".
      Firefox sees "mailto:" and realizes it's not a protocol it's designed to handle.
      Firefox says, "Hey, Windows, I don't know what to do with a mailto: request. You handle it."
      Windows compares the mailto: to its list of registered handlers, decides that Outlook Express is the application the user really wants, and launches it.

      The bug, however, is that corrupting the part after mailto: with null characters causes that last step to malfunction and blithely pass the remainder of the request directly to the Windows shell, not Outlook Express, allowing it to do pretty much anything the user is allowed to. Two things should be clear here. First, that it's not really Firefox's fault. Invalidating or truncating the link if it contains null characters is certainly a good idea, but that doesn't mean that Windows' bug is justified. As has been pointed out, the bug would still be a problem for any other application that passes requests to the protocol handler.

      The second thing is the answer to your question. Notice that Internet Explorer was not involved in this exchange at all. Even if it were registered as one of the protocol handlers it would be irrelevant, as the bug prevents the real handler from ever being launched. The reason IE7 is dragged into this is because something about the protocol handling routines changes when you install it, such that the exploit is not possible before and is possible after.

      So it's a bug in the IE7 installation, not really IE7 itself.

    • by Todd Knarr (15451)

      Because it isn't IE7 that's being exploited. It's the part of Windows that matches URIs to programs to open them via registry entries. IE7 comes into it because those routines in Windows are really part of IE (remember that IE's an integral part of Windows). When you install IE7, you install a new system library with new implementations of those routines that replace the ones from IE6, and said new implementations contain the bug that's being exploited.

      This is also a good illustration of why making core pa

  • Possible Workaround (Score:2, Informative)

    by BlakeReid (1033116)
    FTA:

    The latest version of the Firefox extension NoScript also filters URLs that are passed to external handlers. Once installed, at least the demo exploits only open empty windows, while for example normal mailto:-URLs [mailto] still work.


    Looks like http://noscript.net/ [noscript.net] will cover you if you're looking for a temporary fix.
    • I tried NoScript with Firefox in my knoppix remaster. [geocities.com] Had to take it out, too much trouble to use Firefox with the NoScript extension, for the average user. Does work, however, and if you are enough of a geek, you'll get used to it. I doubt NoScript is needed with a livecd linux, but would be useful for Windows. Would turn the tables on "desktop adoption".
      A linux desktop with Firefox such as I provide in the Remaster, is much easier to live with for non-techie users, compared to a Windows desktop with Firef
  • by Anonymous Coward
    In college they had a computer lab of OSX machines that was locked down from using the terminal and other applications. I fired up firefox (because I am not too fond of Safari) and did telnet:// [telnet] and it just opened up the terminal. Same thing happened with ichat, which was installed but I couldn't run it from the desktop. ichat://.

    Thanks Mac-Firefox :-)
  • ...if you install Firefox on a non-C: drive, like me.
  • by Torodung (31985) on Thursday July 26, 2007 @05:11PM (#20002593) Journal
    Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

    I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?

    A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.

    A machine is only as secure as it's user is wise.

    Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.

    And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.

    No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."

    And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.

    And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.

    Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.

    --
    Toro
    • As a follow up, I actually tried to make Lynx pass the puked URI to Windows and it wouldn't do it. It has it's own handlers. Security through "stone knives and bearskins" still works. ;^)

      --
      Toro
    • Re: (Score:2, Insightful)

      by xssniper (1133469)
      It's great to know that you FULLY understand the security implication of this issue. If everyone was like you we would all be SO MUCH SAFER!!

      The Proof of Concepts I provided are exactly that... PROOF OF CONCEPT! In my examples, I purposely place the exploit behind a link, so that you know and control whats coming. I could have easily placed the payload in a "body onload" tag and you would have just been hit with it... no user interaction required.

      To make matters worse, when you combine something
    • by jmv (93421) on Friday July 27, 2007 @02:38AM (#20006995) Homepage
      Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

      Not that simple. Many browsers allow the remote site to change the string in the status bar by default (that's the first thing I disable). Until browsers show you the real destination by default, you can't expect people to notice the malformed mailto:
  • by Lost Penguin (636359) on Thursday July 26, 2007 @05:29PM (#20002859) Homepage
    Set WshShell = WScript.CreateObject("WScript.Shell")
    intReturn = WshShell.Run("del c:\windows\iexplore.exe")
    WshShell.Popup "Windows is now secure."
  • Greasemonkey script removes null from URLs [userscripts.org]

Happiness is a positive cash flow.

Working...