Firefox and IE Still Not Getting Along 207
juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"
No problem (Score:5, Funny)
Re: (Score:2)
Re:No problem (Score:4, Interesting)
Re: (Score:2)
Re:No problem (Score:4, Funny)
Re: (Score:2)
Personally I use news: a lot, MS HTML help uses ms-help:, and I've found the res: handy as well for some programs.
Re: (Score:2)
Re:its worth noting (Score:5, Funny)
Obviously firefoxs fault (Score:5, Funny)
Re: (Score:2)
What makes you think there's any overlap in the IE team and the Windows team? Out of curiosity. I think people who say things like this don't realize how huge Microsoft is. They have something like 70,000+ employees.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Obviously firefoxs fault (Score:5, Funny)
If by "developing" you mean "IT'S ALIVE, IGOR!! IT'S ALIVE!!!", then, yes, I agree with you!
Re: (Score:2, Funny)
Re:Obviously firefoxs fault (Score:5, Funny)
OS: *gets out gun and shoots dog dead*
Browser: "WTF? What did you do that for?"
OS: "You told me to."
Browser: "I told you to feed it!"
OS: "Yeah, I changed the definition of that yesterday to 'shoot dead'."
just forgot to inform you about a default param (Score:3, Funny)
Re:Obviously firefoxs fault (Score:4, Insightful)
Re: (Score:2)
Then again, if you open a mailto link and Malicious App 2.0 opens, you've ALREADY been compromised by Malicious App 1.0, already on your system, having modified your registry. With those kind of permissions, whatever payload Malicious App 2.0 has could have been done anyway by Malici
Re:Obviously firefoxs fault (Score:5, Funny)
Re: (Score:2)
According to the article, this happens when you click on a mailto: link with escaped null bytes in it, and instead of launching the registered mail client (i.e., outlook ), a command specified in the URI (calc.exe) is executed. This seems to work regardless of which URI scheme is used, and regardless of what the associated handler is. Sounds like a pretty cut-and-dry windows bug to me.
and so on and so forth (Score:2, Insightful)
and the problem does not exits for Firefox before "upgrading" to IE 7 or on other platforms because M$ has yet to force sane user and privilege separation and on and on. Is there any way this could be anything but a M$ problem?
First time? (Score:2)
Has that ever happened before?
Re:Obviously firefoxs fault (Score:4, Interesting)
also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to.
Re: (Score:2)
I resent the comparison! (Score:2)
When I've been a very, very naughty boy, I'll pinch myself in the genitals if matron Dorris tells me to, you insensitive clod!
Re:Obviously firefoxs fault (Score:5, Insightful)
Re: (Score:2, Informative)
The Firefox bug was essentially that it was receiving URLs like "firefoxurl: -chrome javascript:alert('Oops.')" and then, instead of interpreting the URL as a URL it was interpreting it as a command line. This is clearly Firefox's fault - they configured IE to pass Firefox all URLs that start with "firefoxurl:", but neglected to tell IE that it should inform Firefox that it shouldn't emulate a UNIX shell when receiving the URL.
This is why almost all UNIX commands have that helpful "-
Re:Obviously firefoxs fault (Score:5, Interesting)
That said, I completely agree with you on the firefoxurl: flaw.
Re: (Score:3, Informative)
Well, what if sending an "format" command to Firefox have the same effect as if it was launched from the Windows Start Menu? The thing is: browsers should NOT allow malicious commands to go past its sandbox. Just "passing" commands to a third party IS insecure behaviour.
Firefox users should not play the blame shifting game, but think that their loved product is responsible for the concept of "everything I click and do w
Re: (Score:3, Insightful)
Re: (Score:2)
Firefox is passing stuff from webpages directly to the operating system. That's bad design.
Firefox is calling the operating system with user-supplied data
Re: (Score:2)
No, that's perfectly normal. That is what the URL handler is for. If I get a mms:\\ URI on a webpage, I want Firefox to open the correct mediaplayer, based on my system settings. On Windows, that means that any URI that Firefox itself can't handle should be passed to the OS. This is normal behaviour, not bad design.
Re:Obviously firefoxs fault (Score:4, Insightful)
Re: (Score:2)
So where should downloaded files go? In with all the other cache files?
Re:Obviously firefoxs fault (Score:4, Interesting)
If you leave your door open, the cable guy can come in anytime and fix your cable box. You dont have to house sit over that stupid four hour window. Would you do that? Then why people put up such great resistance to the idea that you must take action, not doable by the browser alone, to download and execute a file from the internet?
Re: (Score:2)
There is always a balance between safety and convenience. Sometimes one or the other wins out, depending on priorities.
You're almost right (Score:2)
http://msdn2.microsoft.com/en-us/library/aa767914. aspx [microsoft.com]
Security Alert
Applications handling URL protocols must be robust in the face of malicious data. Because handler applications receive data from untrusted sources, the URL and other parameter values passed to the application may contain malicious data attempting to exploit the handling application. For this reason, handling applications that could initiate unwanted actions based on external data must first confirm those actions with the user.
I don't have IE7.. (Score:2)
Actually, I don't have it on my XP-Pro SP2 machine I use to run Quickbooks, either.
I run QuickBooks on my mac. (Score:2)
Errr (Score:2, Insightful)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Absolutely, but it, could, be, wor,se.,, I, gues,s,.
Yea, pretty much. (Score:3, Funny)
Elucidate and superfluous are dross from a word of the day calendar; the english major equivalent of e-penis. Three seperate comma seperated subclauses in the sentence. Overuse of the passive voice. The use of an uncommon acronym (URI) can perhaps be forgiven since it's Slashdot. Hyphens are hard to use well, and should NOT be used unless you know exactl
Re:Yea, pretty much. (Score:5, Funny)
Never understood the obsession with big words. The point is to be understood, right? There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.
Re:Yea, pretty much. (Score:4, Insightful)
If you'd just speak formally _all_ the time, that'd be one less source of confusion for the unwashed masses. It turns out these things aren't inbuilt; they have to be learned from exposure. By denying exposure in the desperation to be understandable, you rob them of the chance of understanding in the long term.
Re: (Score:2)
In a situation where there really is one word that really conveys the exact m
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Dammit, this butchering the language thing is harder than it looks isn't it?
Re: (Score:2)
I really feel embiggened now.
Re: (Score:2)
Re: (Score:2)
I do this because my goal is to convey information clearly, to elucidate, as it were. It is in no way my intention to cloud my point with words that most English speakers won't clearly understand, not to mention all the people here whose primary la
Re: (Score:2)
Re: (Score:2)
Agreed on the "-"; it was actually used in a valid way, but the sentence was moving into run-on territory, and needed to be stopped (As you can see, I love the ";" as well).
The word choice was by far the biggest problem, in my opinion. The desire to use a fancy word should never overcome the need to be understoo
!Root (Score:4, Funny)
reponsability (Score:2)
Didn't work for me... (Score:5, Funny)
Once again, Google saves the day! Is there nothing that Google can't do?
Re: (Score:2)
Maybe worth noting... (Score:2)
Not just Firefox. (Score:5, Informative)
Re:Not just Firefox. (Score:5, Informative)
This indicates that the problem is in Windows' parsing of URIs... as stated in the article. It's the handling of the NULL (%00) byte.
This has absolutely nothing to do with Firefox, but kudos to the Mozilla developers for trying to block the opening of null-byted URIs.
Re:Not just Firefox. (Score:5, Funny)
At the risk of abusing a double negative, Windows can't even do nothin' right.
Re: (Score:3, Interesting)
If you prefer the Readers' Digest version with your helping of crow:
And
Re: (Score:2)
then try the same URI without the 2 null bytes.
Survey says - "All of them"? (Score:5, Insightful)
I can answer that one for ya - Everything that FireFox doesn't handle internally; So basically, kill everything except "http", "https", and "ftp".
If you want to send email, open your email program and paste the address in. If you want to read newsgroups, open your newsreader and select the desired group. If you want to use some specialized protocol that requires a dedicated app anyway (like many P2P URIs), open them in the appropriate program.
Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.
Kinda cool (Score:5, Insightful)
For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)
snews:%00%00../../../../../../windows/system32/cm
If IE7 is to blame, why isn't IE7 vulnerable? (Score:2, Insightful)
Re:If IE7 is to blame, why isn't IE7 vulnerable? (Score:4, Informative)
Because technically it's not IE7 that's broken and allowing the exploit. It's Windows' routines that route and execute arbitrary protocol requests. It goes like this:
User clicks an email link, which starts with "mailto:" instead of "http:".
Firefox sees "mailto:" and realizes it's not a protocol it's designed to handle.
Firefox says, "Hey, Windows, I don't know what to do with a mailto: request. You handle it."
Windows compares the mailto: to its list of registered handlers, decides that Outlook Express is the application the user really wants, and launches it.
The bug, however, is that corrupting the part after mailto: with null characters causes that last step to malfunction and blithely pass the remainder of the request directly to the Windows shell, not Outlook Express, allowing it to do pretty much anything the user is allowed to. Two things should be clear here. First, that it's not really Firefox's fault. Invalidating or truncating the link if it contains null characters is certainly a good idea, but that doesn't mean that Windows' bug is justified. As has been pointed out, the bug would still be a problem for any other application that passes requests to the protocol handler.
The second thing is the answer to your question. Notice that Internet Explorer was not involved in this exchange at all. Even if it were registered as one of the protocol handlers it would be irrelevant, as the bug prevents the real handler from ever being launched. The reason IE7 is dragged into this is because something about the protocol handling routines changes when you install it, such that the exploit is not possible before and is possible after.
So it's a bug in the IE7 installation, not really IE7 itself.
Re: (Score:2)
Because it isn't IE7 that's being exploited. It's the part of Windows that matches URIs to programs to open them via registry entries. IE7 comes into it because those routines in Windows are really part of IE (remember that IE's an integral part of Windows). When you install IE7, you install a new system library with new implementations of those routines that replace the ones from IE6, and said new implementations contain the bug that's being exploited.
This is also a good illustration of why making core pa
Possible Workaround (Score:2, Informative)
Looks like http://noscript.net/ [noscript.net] will cover you if you're looking for a temporary fix.
Re: (Score:2)
A linux desktop with Firefox such as I provide in the Remaster, is much easier to live with for non-techie users, compared to a Windows desktop with Firef
Sounds like what I did on a mac (Score:2, Interesting)
Thanks Mac-Firefox
Doesn't work (Score:2)
A simple solution... WAKE UP! (Score:3, Insightful)
I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?
A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.
A machine is only as secure as it's user is wise.
Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.
And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.
No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."
And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.
And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.
Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.
--
Toro
Lynx is still secure! *whew* (Score:2)
--
Toro
Re: (Score:2, Insightful)
The Proof of Concepts I provided are exactly that... PROOF OF CONCEPT! In my examples, I purposely place the exploit behind a link, so that you know and control whats coming. I could have easily placed the payload in a "body onload" tag and you would have just been hit with it... no user interaction required.
To make matters worse, when you combine something
Re:A simple solution... WAKE UP! (Score:4, Insightful)
Not that simple. Many browsers allow the remote site to change the string in the status bar by default (that's the first thing I disable). Until browsers show you the real destination by default, you can't expect people to notice the malformed mailto:
Code for the patch (Score:3, Funny)
intReturn = WshShell.Run("del c:\windows\iexplore.exe")
WshShell.Popup "Windows is now secure."
Solution (Score:2)
Re: (Score:3, Informative)
Re:bug database (Score:5, Interesting)
Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:
If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).
One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.
Re:bug database (Score:5, Informative)
They are leading the race for a patch. They have one (PATCH) ready in their database.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Didn't work in seamonkey (Score:2)
Using XP sp2 with seamonkey 1.1.1 and none of the links worked.
No Microsoft Software has Bugs (Score:2, Funny)
Microsoft software does not have bugs. They have "undocumented features". It is a feature that Internet Explorer 7 works this way. When properly embraced, it extends the operating system with new features, and extinguishes all problems.
Be positive about these features!!! :-)
Re:well.. (Score:5, Informative)
XP too. (Score:2)
Is there any way to avoid IE7 if you are an XP user? I thought it was a forced "update" that had to be installed, unless you are a big company with your own special hell of updates and patches.
Not the end of the story (Score:2)
1. Download an Ubuntu Live CD
2. Install Ubuntu
3.
4. Profit!
After receiving a new laptop with Vista I found that it could take up to five minutes for the machine to be usable from a cold start. It is the first time I've used Linux for anything other than serving up web pages (or other network service) and I'm in love all over again.
Re: (Score:2)
Re: (Score:2)
I tried it many times, usually it made me restart the machine, which just took more time. Don't get me wrong, I love XP and 2000 for their speed and *gasp* their stability (I've had an XP install going for just over four years... hosting webpages with Apache), but Vista just needs too much power to run. Throw in games or even a running notepad.exe and
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Sometimes it is either a memory hog or somehow gets stuck on 99% CPU usage.
Re: (Score:2)