Firefox and IE Still Not Getting Along

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

Re:Obviously firefoxs fault

[Anonymous Coward]

It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input.

If I create a URL that manages to get Firefox to tell Windows to run a command, how is that Windows' fault? Firefox is the one that told Windows to execute the command, Windows just did what Firefox told it to do.

Re:Obviously firefoxs fault

[SolusSD]

executing a program is one thing-- allowing the installation and execution of a virus is another.Since most windows users run as admins it is enough just to gain some access to the user's account (maybe through firefox) to install malicious code. Of course, as the article suggests, the "bug" only exists when IE7 is installed.
also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to.

Re:bug database

[Alwin Henseler]

Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:

(..) one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).

One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.

Re:Obviously firefoxs fault

[mhall119]

Since the URL's have the same effect if they are launched from the Windows Start menu, and presumably from any application that passes URLs to Window's URL handler, I don't see how this is Firefox's fault. Combine that with the fact that the URL is valid (%00 is valid URL encoding), and the fact that the flaw only exists when IE7 is installed, and you have a very hard time blaming Firefox for this.

That said, I completely agree with you on the firefoxurl: flaw.

Re:Not just Firefox.

[KiltedKnight]

I suggest you go back and read the article.

If you prefer the Readers' Digest version with your helping of crow:

Installing IE 7 clearly changes the way Windows processes URIs. This is clearly illustrated by what happens if you pass the "bad" link directly to the Windows shell via the "Run" option in the Start menu. With IE6 installed, Outlook Express is launched, with IE7, cmd.exe and the calculator.

And

According to the Bugzilla entry [mozilla.org] for this problem, one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

Sounds like what I did on a mac

[Anonymous Coward]

In college they had a computer lab of OSX machines that was locked down from using the terminal and other applications. I fired up firefox (because I am not too fond of Safari) and did telnet:// [telnet] and it just opened up the terminal. Same thing happened with ichat, which was installed but I couldn't run it from the desktop. ichat://.

Thanks Mac-Firefox :-)

Re:Obviously firefoxs fault

[140Mandak262Jamuna]

download folder could be a sub folder of the cache folder. Without any execute privilege. If you download an executable that you really want to run, you should move it using file manager to another location with execute privilege and then run it. Painful? may be. Inconvenient? Definitely. But safe. Convenience should never trump safety.

If you leave your door open, the cable guy can come in anytime and fix your cable box. You dont have to house sit over that stupid four hour window. Would you do that? Then why people put up such great resistance to the idea that you must take action, not doable by the browser alone, to download and execute a file from the internet?

Re:No problem

[Chineseyes]

In windows no but in linux using kde fish:// is a godsend.