Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
The firefoxurl:// security flaw
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
heidar
Tux's lil' helper
Tux's lil' helper


Joined: 30 Aug 2003
Posts: 135

PostPosted: Tue Jul 10, 2007 5:16 pm    Post subject: The firefoxurl:// security flaw Reply with quote

Hello friends,

Quote:
"A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp://, http://, or similar would call other applications," explained Thomas Kristensen, Secunia chief technology officer.

The use of the "chrome" context--the interface elements of a browser that create the frame around its page displays--it's possible for attackers to inject code on a user's system that would be executed within Firefox, Kristensen said.


Full article at: http://news.com.com/8301-10784_3-9741435-7.html

Seems like these guys figured it out before that guy though; http://sla.ckers.org/forum/read.php?3,12752

Now I'm wondering, would this count as a Firefox flaw or a Windows flaw? On Security Focus it's marked as an IE flaw. "Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability" -> http://www.securityfocus.com/bid/24837

If you have Windows running with Firefox installed you can open an explorer window (or simply Start -> Run...) and type "fireforurl://www.example.com/" and it'll make a window pop up asking if it's allowed to run Firefox. If you go under Folder Options in Windows you can see the Firefox URI handler at the top marked with (NONE) and it doesn't look like you can change/delete it without messing with the registry or something.

I really don't know which one to blame but I don't understand how they mark this as an MS IE flaw alone, since this has more to do with Windows Explorer than anything else, or Firefox. What do you think?
Back to top
View user's profile Send private message
Dralnu
Veteran
Veteran


Joined: 24 May 2006
Posts: 1919

PostPosted: Tue Jul 10, 2007 6:54 pm    Post subject: Reply with quote

Just addes fuel to the fire that all browsers suck, and security is STILL in the back of peoples minds.

BTW, on to a more interesting topic: Where did you get your av, Runespoor?
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
Back to top
View user's profile Send private message
heidar
Tux's lil' helper
Tux's lil' helper


Joined: 30 Aug 2003
Posts: 135

PostPosted: Tue Jul 10, 2007 7:06 pm    Post subject: Reply with quote

Dralnu wrote:
Just addes fuel to the fire that all browsers suck, and security is STILL in the back of peoples minds.

BTW, on to a more interesting topic: Where did you get your av, Runespoor?


Yeah, QFT on that. I haven't tried Firefox 3 from cvs yet but I've heard *nicer* things about it at least.

My avatar I got from http://myspace.com/darth_mittens

Her name is...well, I'm not sure, but her alias is Chibi. She's the singer for The Birthday Massacre, my favorite band for the last 5 years or so.

What about yours? Where'd you get it?
Back to top
View user's profile Send private message
Dralnu
Veteran
Veteran


Joined: 24 May 2006
Posts: 1919

PostPosted: Tue Jul 10, 2007 7:24 pm    Post subject: Reply with quote

Google Images. searched for Gothic Model or something for a wallpaper...
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
Back to top
View user's profile Send private message
madchaz
l33t
l33t


Joined: 01 Jul 2003
Posts: 993
Location: Quebec, Canada

PostPosted: Tue Jul 10, 2007 7:37 pm    Post subject: Reply with quote

This is a IE flaw because IE pretty much = Windows Explorer.
_________________
Someone asked me once if I suffered from mental illness. I told him I enjoyed every second of it.
www.madchaz.com A small candle of a website. As my lab specs on it.
Back to top
View user's profile Send private message
Dralnu
Veteran
Veteran


Joined: 24 May 2006
Posts: 1919

PostPosted: Tue Jul 10, 2007 7:41 pm    Post subject: Reply with quote

madchaz wrote:
This is a IE flaw because IE pretty much = Windows Explorer.


Just link Konq!
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Tue Jul 10, 2007 7:45 pm    Post subject: Reply with quote

madchaz wrote:
This is a IE flaw because IE pretty much = Windows Explorer.


But perhaps IE is in this case exposing a flaw in firefox.
Back to top
View user's profile Send private message
madchaz
l33t
l33t


Joined: 01 Jul 2003
Posts: 993
Location: Quebec, Canada

PostPosted: Tue Jul 10, 2007 7:56 pm    Post subject: Reply with quote

Maybe, I'm not an expert and haven't had time to read the whole thing
_________________
Someone asked me once if I suffered from mental illness. I told him I enjoyed every second of it.
www.madchaz.com A small candle of a website. As my lab specs on it.
Back to top
View user's profile Send private message
think4urs11
Bodhisattva
Bodhisattva


Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud

PostPosted: Tue Jul 10, 2007 7:58 pm    Post subject: Reply with quote

in other words -unless proven otherwise- it is a windows security flaw as at least IE needs to be involved which is windows only ;)
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Tue Jul 10, 2007 8:17 pm    Post subject: Reply with quote

madchaz wrote:
Maybe, I'm not an expert and haven't had time to read the whole thing


Or the entire first post for that matter.

Even there it alludes to the fact that someone could make a malformed firefoxURL such that firefox would run code.

But even if this is a problem deep down with firefox, the only way to expose the problem is to use windows.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5882

PostPosted: Tue Jul 10, 2007 8:24 pm    Post subject: Reply with quote

slycordinator wrote:
madchaz wrote:
Maybe, I'm not an expert and haven't had time to read the whole thing


Or the entire first post for that matter.

Even there it alludes to the fact that someone could make a malformed firefoxURL such that firefox would run code.

But even if this is a problem deep down with firefox, the only way to expose the problem is to use windows.


could wine make the call to firefox?
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Tue Jul 10, 2007 8:33 pm    Post subject: Reply with quote

Seems it could assuming you had a new enough version of IE installed inside wine though I don't think IE7 works in wine anyway.

And this security problem is just that from IE you can click on a link that opens up firefox but IE's URI scheme lets you specify arbitrary arguments to firefox. So this isn't a case where you get arbitrary code execution or something like that.
Back to top
View user's profile Send private message
opqdan
Guru
Guru


Joined: 13 Dec 2004
Posts: 429
Location: Redmond, WA, USA

PostPosted: Tue Jul 10, 2007 11:13 pm    Post subject: Reply with quote

slycordinator wrote:
madchaz wrote:
Maybe, I'm not an expert and haven't had time to read the whole thing


Or the entire first post for that matter.

Even there it alludes to the fact that someone could make a malformed firefoxURL such that firefox would run code.

But even if this is a problem deep down with firefox, the only way to expose the problem is to use windows.
The article specifically says that any application could call firefox with the right (wrong) parameters and cause this to happen. IE only extends the impact of the bug by making the user only visit a malicious website, rather than have a malicious application on their PC.

Personally, I can see that this is most definately a bug in Firefox, though IE needs to be extremely careful about running 3rd party executables via links in explorer. They say in the article that there is no way of knowing whether parameters are safe or not. If that is the case, then this functionality shouldn't even exists. Clicking on a link in IE should never open an external application unless IE knows what parameters are safe, and can avoid passing bad ones.
Back to top
View user's profile Send private message
dleverton
Guru
Guru


Joined: 28 Aug 2006
Posts: 517

PostPosted: Wed Jul 11, 2007 12:10 pm    Post subject: Reply with quote

opqdan wrote:
The article specifically says that any application could call firefox with the right (wrong) parameters and cause this to happen. ... Personally, I can see that this is most definately a bug in Firefox

In other news, any application could call rm with the right (wrong) parameters and cause all your files to be deleted. Personally, I can see that this is most definately a bug in rm.
Back to top
View user's profile Send private message
enderandrew
l33t
l33t


Joined: 25 Oct 2005
Posts: 731

PostPosted: Wed Jul 11, 2007 12:28 pm    Post subject: Reply with quote

dleverton wrote:
opqdan wrote:
The article specifically says that any application could call firefox with the right (wrong) parameters and cause this to happen. ... Personally, I can see that this is most definately a bug in Firefox

In other news, any application could call rm with the right (wrong) parameters and cause all your files to be deleted. Personally, I can see that this is most definately a bug in rm.


The bug must be called from IE to load Firefox in a specific way. It only affects Windows machines with both browsers, and you have to be using IE when you encounter the exploit.

I imagine both browsers will be patched shortly, however if you only use Firefox, you are safe.
_________________
Nihilism makes me smile.
Back to top
View user's profile Send private message
dleverton
Guru
Guru


Joined: 28 Aug 2006
Posts: 517

PostPosted: Wed Jul 11, 2007 12:54 pm    Post subject: Reply with quote

enderandrew wrote:
The bug must be called from IE to load Firefox in a specific way.

Huh?

enderandrew wrote:
I imagine both browsers will be patched shortly, however if you only use Firefox, you are safe.

Mozilla CVS contains a workaround, it'll presumably be in the next security release. Microsoft seems to be denying that it's their fault at all (which is a lie), according to eWeek; dunno if they'll patch it anyway.
Back to top
View user's profile Send private message
enderandrew
l33t
l33t


Joined: 25 Oct 2005
Posts: 731

PostPosted: Wed Jul 11, 2007 1:01 pm    Post subject: Reply with quote

dleverton wrote:
enderandrew wrote:
The bug must be called from IE to load Firefox in a specific way.

Huh?


It is pretty simple. If you are browsing with Firefox, you are immune to this exploit.

The only way the exploit works, is if you have FF installed on your machine, but you are using IE. The exploit can only be triggered in IE, which loads Firefox in a certain way, which then allows for remote code to be run.
_________________
Nihilism makes me smile.
Back to top
View user's profile Send private message
atrus123
Guru
Guru


Joined: 06 Jul 2005
Posts: 339
Location: Annapolis, MD

PostPosted: Wed Jul 11, 2007 1:06 pm    Post subject: Reply with quote

<off-topic>

Runespoor wrote:
Dralnu wrote:

BTW, on to a more interesting topic: Where did you get your av, Runespoor?


Her name is...well, I'm not sure, but her alias is Chibi. She's the singer for The Birthday Massacre, my favorite band for the last 5 years or so.


I love Birthday Massacre. They're lyrics are full of all kinds of nerdy goodness.

</off-topic>
_________________
"I cannot support a movement that exploded spending and borrowing and blames its successor for the debt."
-Andrew Sullivan
Back to top
View user's profile Send private message
opqdan
Guru
Guru


Joined: 13 Dec 2004
Posts: 429
Location: Redmond, WA, USA

PostPosted: Wed Jul 11, 2007 2:42 pm    Post subject: Reply with quote

dleverton wrote:
opqdan wrote:
The article specifically says that any application could call firefox with the right (wrong) parameters and cause this to happen. ... Personally, I can see that this is most definately a bug in Firefox

In other news, any application could call rm with the right (wrong) parameters and cause all your files to be deleted. Personally, I can see that this is most definately a bug in rm.
But there is a difference between the scenarios. That firefox allows itself to be executed in a way that can create a security hole is a bug because firefox is not supposed to be able to do that. RM is supposed to be allowed to delete your files, so it allows something like "-rf /" as part of the valid set of inputs. I'm not trying to say that IE doesn't have a problem here (I pointed out that it shouldn't be opening any apps anyways), but all I see is that it exposed the bug, and (this is the bad part) extended the attack surface.

In short:
1) Firefox says that we will allow a certain set of inputs, and it turns out that something :outside: of that set causes a security flaw. This is a bug is FF as the input should not be allowed.
2) rm says that it will allow a certain set of inputs, and it turns out that something :inside: of this set of inputs :can: cause unintended consequences. This is not a bug in rm, as the input is allowed (though it would be a bug in another program that calls rm depending on whether the command was intended or not).
3) IE is stupid and shouldn't execute firefox anyways.
Back to top
View user's profile Send private message
dleverton
Guru
Guru


Joined: 28 Aug 2006
Posts: 517

PostPosted: Wed Jul 11, 2007 4:45 pm    Post subject: Reply with quote

enderandrew wrote:
It is pretty simple. If you are browsing with Firefox, you are immune to this exploit.

The only way the exploit works, is if you have FF installed on your machine, but you are using IE. The exploit can only be triggered in IE, which loads Firefox in a certain way, which then allows for remote code to be run.


I know how the exploit works. I have no idea what "The bug must be called from IE to load Firefox in a specific way." is supposed to mean.

opqdan wrote:
But there is a difference between the scenarios. That firefox allows itself to be executed in a way that can create a security hole is a bug because firefox is not supposed to be able to do that.

The exploit at one of the links at the start of the thread uses Firefox's "-chrome" parameter (there's also discussion about other possibilities, like "-ProfileManager" and friends). Firefox is supposed to have a "-chrome" parameter. QED
Back to top
View user's profile Send private message
opqdan
Guru
Guru


Joined: 13 Dec 2004
Posts: 429
Location: Redmond, WA, USA

PostPosted: Wed Jul 11, 2007 8:18 pm    Post subject: Reply with quote

dleverton wrote:
enderandrew wrote:
It is pretty simple. If you are browsing with Firefox, you are immune to this exploit.

The only way the exploit works, is if you have FF installed on your machine, but you are using IE. The exploit can only be triggered in IE, which loads Firefox in a certain way, which then allows for remote code to be run.


I know how the exploit works. I have no idea what "The bug must be called from IE to load Firefox in a specific way." is supposed to mean.

opqdan wrote:
But there is a difference between the scenarios. That firefox allows itself to be executed in a way that can create a security hole is a bug because firefox is not supposed to be able to do that.

The exploit at one of the links at the start of the thread uses Firefox's "-chrome" parameter (there's also discussion about other possibilities, like "-ProfileManager" and friends). Firefox is supposed to have a "-chrome" parameter. QED

!QED

firefox.exe -chrome "please open security holes on my computer"

That is a bug. I will try to make myself clear (because it is possible that I am writing badly): If an application allows inputs that cause problems, and doesn't deal with them correctly, that is a bug.

If I write a function that takes a pointer to an object, and I don't check to make sure that it is valid (not NULL, of the correct type if the language supports it), then it is MY fault whenever somebody calls my function with an invalid pointer.

In this case, firefox allows -chrome options, and that is fine, but chrome options that affect the security of the app are not. -chrome is the "un-verified pointer" getting passed to Firefox, it is Firefox's responsibility to make sure you are not passing it garbage.

There is even a quote agreeing with me in the article:
Quote:
"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm, in response to a reader's comments. "I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications."
and
Quote:
"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application," said Kristensen. "For example, how should Windows know that the string 'chrome' could be dangerous for Firefox."


Should Firefox automatically expect that all command line arguments are fine and expect all other applications to bear the responsibility? Or should it run them through a sanity check prior to accepting them?

I think the later. You apparently think the former.

Fortunately, MSFT will probably fix it because they have a habit of fixing bugs in 3rd party software.
Back to top
View user's profile Send private message
dleverton
Guru
Guru


Joined: 28 Aug 2006
Posts: 517

PostPosted: Wed Jul 11, 2007 8:45 pm    Post subject: Reply with quote

opqdan wrote:
firefox.exe -chrome "please open security holes on my computer"

That is a bug. I will try to make myself clear (because it is possible that I am writing badly): If an application allows inputs that cause problems, and doesn't deal with them correctly, that is a bug.

Firefox does deal with it correctly - it opens the URL as "chrome", ie as the top-level definition of the window, with full privileges. That is exactly what -chrome is supposed to do.

opqdan wrote:
If I write a function that takes a pointer to an object, and I don't check to make sure that it is valid (not NULL, of the correct type if the language supports it), then it is MY fault whenever somebody calls my function with an invalid pointer.

WTF? I don't know where you get that idea from, but it's absolute nonsense.

opqdan wrote:
In this case, firefox allows -chrome options, and that is fine, but chrome options that affect the security of the app are not. -chrome is the "un-verified pointer" getting passed to Firefox, it is Firefox's responsibility to make sure you are not passing it garbage.

It's not garbage, it's (in the exploit linked to above) a perfectly valid javascript: URI.

opqdan wrote:
There is even a quote agreeing with me in the article:
Quote:
"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm, in response to a reader's comments. "I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications."

That looks like it's blaming IE for me. As for the point about DDE versus the command-line - if IE supports the command-line method, it should implement it properly.

opqdan wrote:
Quote:
"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application," said Kristensen. "For example, how should Windows know that the string 'chrome' could be dangerous for Firefox."

Windows should know how command-line parsing works on Windows.

opqdan wrote:
Should Firefox automatically expect that all command line arguments are fine and expect all other applications to bear the responsibility? Or should it run them through a sanity check prior to accepting them?

Firefox should interpret valid command-line arguments to mean what they're supposed to mean.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum