On GameFAQs: Halo 3 ODST: Where's the last audio log?
BNET Business Network:
BNET
TechRepublic
ZDNet

July 11th, 2007

Microsoft should block that IE-to-Firefox attack vector

Posted by Ryan Naraine @ 11:00 am

Categories: Apple, Botnets, Browsers, Data theft, Digital rights management, Google, Metasploit, Microsoft, Mozilla, Open source, Passwords, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Mozilla Firefox, Microsoft Windows, Microsoft Internet Explorer, Microsoft Corp., Attack, Ryan Naraine

Microsoft should block that IE > Firefox attack vectorThe ongoing confusion over the IE -> Firefox security vulnerability that introduces a nasty attack vector for Windows users with both browsers installed has raised a serious question about the responsibility of software vendors to protect its customers.

First, a quick recap:

  1. Thor Larholm releases proof-of-concept for what he calls an Internet Explorer zero-day, showing how an IE user clicking on a malicious link could be attacked if Firefox is installed on the machine.
  2. Secunia issues a separate advisory to make it clear that this is *NOT* an IE vulnerabilty. The problem is that Firefox registers the “firefoxurl://” URI handler and allows invoking Firefox with arbitrary command line arguments.
  3. Larholm concedes that Firefox is the current attack vector but makes the argument that Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line.
  4. Mozilla security chief Window Snyder says a Firefox fix will be developed to protect its userbase.
  5. Microsoft’s only response to the issue is this blunt one-liner: “Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.”

[ SEE: How to configure Internet Explorer to run securely ]

So, if Firefox is developing a fix and Microsoft insists it’s NOT a problem with IE, that settles it, right?

Not so fast. Two things that make it murky:

  1. If you are using Firefox to browse the Web, you are NOT exposed to this attack scenario.
  2. The vulnerability is only exposed when a user visits a maliciously rigged Web page in Internet Explorer.

Window Snyder, in a follow-up blog entry, spells it out clearly.

Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.

Although Mozilla will issue a fix, Snyder believes Microsoft should play its part and issue its own patch because the malicious data is being passed from IE to Firefox.

Snyder warns:

Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.

To be fair, Microsoft never explicitly said it won’t issue its own IE patch but as Liu Die Yu explains, this class of attack has been known for a long time — as far back as 2004. Liu Die Yu, one of the original browser security gurus, says it’s a “surprise” that after all these years, such “an extremely simple vector of attack still works in IE.”

Microsoft declined to provide a spokesman for an interview on this issue.

It’s instructive to note that when Larholm disclosed this exact issue in the Safari for Windows beta, Apple issued a patched immediately. Same bug, same attack class, same Firefox attack vector and Apple issued a patch.

If you want to make the argument that this is exclusively a Firefox problem, Microsoft has a responsibility to its own customers — in this case, IE and Windows users.

If there’s a way for Microsoft to sanitize those inputs to avoid potential problems down the road — with any piece of software sitting on Windows — the company should provide that fix as part of its defense-in-depth approach to dealing with security.

Ignoring an attack vector that affects your customers — whether it’s your fault or not — isn’t being responsible. In this case, Microsoft shares the fault and should follow Mozilla and Apple’s lead.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 154 Talkback(s)
So what your saying is, malicious websites being able to make IE launch
programs with arbitrary command line arguments, is
somehow not an IE problem? Please, explain how it
is not, exactly.


Sanitizing remote input before running it in a raw
command prompt is basic security.... (Read the rest)
Posted by: AzuMao Posted on: 10/02/09 You are currently: a Guest | | Terms of Use
ROTFLMAO !!! What a barrel of laughs ,,,  I'm Ye, the MS SHILL . | 07/11/07
Champion metaphor mashup  Ed BottZDNet Moderator | 07/11/07
I couldn't help myself on that one .  I'm Ye, the MS SHILL . | 07/11/07
Good theory.  Cayble | 07/13/07
Fine if Microsoft wont fix it , let Mozilla do the job .  Intellihence | 07/14/07
Sorry, what did you write?  Jxn | 07/20/07
That was pretty random. Did you reply to the wrong article?  AzuMao | 10/02/09
At least it is being fixed by Mozilla  TripleII | 07/11/07
re:At least it is being fixed by Mozilla  I'm Ye, the MS SHILL . | 07/11/07
Hey if it decreases their exploit count  Kid Icarus-21097050858087920245213802267493 | 07/11/07
You sir don't appear to have a clue.  Cayble | 07/13/07
Sorry, it is you who is clueless  Jxn | 07/20/07
A day? What the hell?  AzuMao | 10/02/09
Ryan, Microsoft cannot protect their users ....  ShadeTree | 07/11/07
What a bunch of Bull ShadeTree .  I'm Ye, the MS SHILL . | 07/11/07
Your post is a bunch of Bull!  ShadeTree | 07/11/07
Right back at you ShadeTree  I'm Ye, the MS SHILL . | 07/11/07
The only one you make ....  ShadeTree | 07/11/07
Microsoft knew of this issue since 2004 but refused to fix it . WHY ?  I'm Ye, the MS SHILL . | 07/11/07
Mozilla has admitted to knowing about it too.  ShadeTree | 07/12/07
Microsoft knew of this issue since 2004 but refused to fix it . WHY ?  I'm Ye, the MS SHILL . | 07/12/07
You are wrong, again  Jxn | 07/20/07
Did you read the same article?  TripleII | 07/11/07
Short answer: YES  NonZealot | 07/11/07
Completely Agree. Both Should.  TripleII | 07/11/07
Close... I'd say 95% accurate  Mercutio_Viz | 07/11/07
Shhhh , these are just more bones in Microsoft's closet .  I'm Ye, the MS SHILL . | 07/11/07
Good Call  TechnoCritter | 07/11/07
I'd be willing to bet  maldain | 07/12/07
Agree!  Jxn | 07/20/07
They deny the vulnerbility  voska | 07/11/07
well  Badgered | 07/11/07
This is often the case  TripleII | 07/11/07
What MS can do  Ryan NaraineZDNet Moderator | 07/11/07
Agreed! There is plenty of 'blame' to go around  Mercutio_Viz | 07/11/07
How do they know what is sanitized and what isn't?  georgeou | 07/11/07
Whoa horsey . Hold on to your horses George .  Intellihence | 07/11/07
There are times Microsoft deserves a spanking, this isn't one of them.  georgeou | 07/11/07
Yeah right , like it was Apple's fault to .  Intellihence | 07/11/07
What about the .ani exploit ?  Intellihence | 07/11/07
Did you miss something?  Badgered | 07/12/07
Nah  zkiwi | 07/11/07
I have known since before 2004 ....  ShadeTree | 07/11/07
ShadeTree you are behaving incoherent now .  I'm Ye, the MS SHILL . | 07/11/07
Having you calling me incoherent ...  ShadeTree | 07/11/07
Oh ShadeTree calling me those kind of names just goes to show you are  I'm Ye, the MS SHILL . | 07/11/07
Well...  zkiwi | 07/11/07
Mozilla knew of the issue back in 2004 also ....  ShadeTree | 07/12/07
ShadeTree are you recovering from that hangover now .  I'm Ye, the MS SHILL . | 07/12/07
Have you recovered from yours"  ShadeTree | 07/12/07
The people at risk  Ryan NaraineZDNet Moderator | 07/11/07
The people at risk are those who installed Firefox  georgeou | 07/11/07
But if they didn't use IE it wouldn't be a problem  mdsmedia | 07/11/07
Mozilla installed the URL handler for IE  georgeou | 07/11/07
Keeping their customers safe or the finger pointing game?  jjarman | 07/12/07
IE code may run in the background without IE.  tgunda2@... | 07/24/07
Again Goerge, ANY URL Handler Applies  TripleII | 07/11/07
George, not Goerge, Apologies (NT)  TripleII | 07/11/07
Again, it's the principle of it all  georgeou | 07/11/07
George, I don't entirely disagree with you  mdsmedia | 07/12/07
PRINCIPLES , PRICIPLES , PRINCIPLES ,,,  Intellihence | 07/11/07
OK George...  Cardinal_Bill | 07/11/07
You would have to install an alternate OS  Kid Icarus-21097050858087920245213802267493 | 07/11/07
Why should I be at risk?  voska | 07/11/07
Why would you remove IE when it ....  ShadeTree | 07/11/07
Bingh , bing , bing , bing shadetree  I'm Ye, the MS SHILL . | 07/11/07
*sigh*  zkiwi | 07/11/07
Wow, you are truly ridiculous!  Kid Icarus-21097050858087920245213802267493 | 07/11/07
Not so fast!  JDThompson | 07/12/07
People at risk  Freebird54 | 07/13/07
Sollution, uninstall MS IE.  Jxn | 07/20/07
Microsoft did not create this problem ...  ShadeTree | 07/11/07
Microsoft did create the problem .  I'm Ye, the MS SHILL . | 07/11/07
Ridiculous.  ShadeTree | 07/12/07
Fine let Mozilla fix Microsoft's problem .  I'm Ye, the MS SHILL . | 07/12/07
The issue is not blocking  Freebird54 | 07/13/07
It IS MS problem...  Jxn | 07/20/07
URI Encoding and Sanitization is Standardized  jjarman | 07/12/07
Simple, if they don't know, they shouldn't use that handler.  Resuna | 07/12/07
I don't see that  Freebird54 | 07/13/07
Message has been deleted.  Shelendrea | 07/11/07
Sugar baby where you been ?  Intellihence | 07/11/07
eh....  Shelendrea | 07/11/07
I have never met you personally but  Intellihence | 07/11/07
Nice  Shelendrea | 07/11/07
Who installed the URL handler? Mozilla!  georgeou | 07/11/07
Like I don't understand that George  Shelendrea | 07/11/07
Now Microsoft does know, and they're not going to walk down this path  georgeou | 07/11/07
As entertaining as this is  Shelendrea | 07/11/07
Buffer over run has also been known ...  ShadeTree | 07/11/07
Yes ShadeTree many understand ,,,,  I'm Ye, the MS SHILL . | 07/11/07
George_Ou please understand .  Intellihence | 07/11/07
Three + Years!?!?!? That's not enough time?!?!? THink, George! (nt)  JLHenry | 07/11/07
It seems a vuln none the less  Zoraster | 07/11/07
Perhaps you should  Freebird54 | 07/13/07
It 's that kind of thinking that's responsible for . . . .  JLHenry | 07/11/07
That's a feature?  voska | 07/11/07
Sure it is , it's a great feature depending how you look at it .  Intellihence | 07/11/07
Sorry that's not the case  maldain | 07/12/07
IE should not call unknown URL handlers  Resuna | 07/12/07
So what your saying is, malicious websites being able to make IE launch  AzuMao | 10/02/09
The mud under Microsoft's Bull is getting higher & thicker !  Intellihence | 07/11/07
Recap  Intellihence | 07/11/07
Too Much Time...  TechnoCritter | 07/11/07
Errr . . I don't think that's mud . . . .the smell is a lot worse wink (nt)  JLHenry | 07/11/07
Interesting  Shelendrea | 07/11/07
They are just scared that their patch may cause another issue .  Intellihence | 07/11/07
Mozilla Firefox installed the URL handler; not Microsoft  georgeou | 07/11/07
So George it's everybody elses fault right .!  Intellihence | 07/11/07
Microsoft knew about this type of attack since 2004  johnf76@... | 07/11/07
Mozilla also knew about this problem since 2004 ....  ShadeTree | 07/11/07
I do hope that was sarcasm . . .  JLHenry | 07/11/07
Where is the quote that Microsoft ....  ShadeTree | 07/12/07
Oh, I was confused...apparently the OS is Mozilla, not Windows!  johnf76@... | 07/11/07
It is not a Windows flaw!  ShadeTree | 07/12/07
it *IS* a WIndows flaw  Freebird54 | 07/13/07
Apparently, you are confused  Badgered | 07/12/07
Let me see if I got this right...  Badgered | 07/11/07
re:Let me see if I got this right...  Intellihence | 07/11/07
Not quite the way I read it  Badgered | 07/12/07
Doesn't appear that way to me  voska | 07/11/07
re: Doesn't appear that way to me  Badgered | 07/12/07
George, there is ZERO syntax checking done by IE  TripleII | 07/11/07
Reply in General, I can see your point (but still disagree)  TripleII | 07/11/07
That really IS fanboi stuff George!!  mdsmedia | 07/12/07
Shared Responsibility  The Rifleman | 07/11/07
Hmmm patch against Microsoft  voska | 07/11/07
Oh no Voska , according to George_Ou it's Mozilla's fault .  Intellihence | 07/11/07
On its Face - Abuse of Monopoly Power  mighetto | 07/11/07
You're right Mighetto ,,,  Non_Zealot | 07/11/07
Naaah, All you need is . . .  JLHenry | 07/11/07
But should that be necessary?  Kid Icarus-21097050858087920245213802267493 | 07/11/07
Re: On its Face - Abuse of Monopoly Power  MowGreen | 07/12/07
Say it isn't so .  Non_Zealot | 07/11/07
Here's the issue in a nutshell  johnf76@... | 07/11/07
And the winner is - John f76!  whisperycat | 07/12/07
Don't ever expect a response to that (nt)  mdsmedia | 07/12/07
The flaw is in firefoxurl:// Firefox protocol  qmlscycrajg | 07/12/07
Yep nothing like an industry leader who violates standards  maldain | 07/12/07
Microsoft is at fault  rfabris@... | 07/12/07
only ie users at risk...AGAIN...but not our promlem since 2004  jjarman | 07/12/07
eeping their customers safe or the finger pointing game?  jjarman | 07/12/07
But George...  bry_ant | 07/12/07
Trust Microsoft in Security. No way  laman | 07/12/07
Updating Windows every month?  daniel_jh@... | 07/13/07
Lots of blame to share...  ccolht@... | 07/12/07
I use IE, Firefox, and Opera  mhenriday | 07/13/07
Moziilla fixed it !  mhenriday | 07/18/07
No, they didn't.  JDThompson | 07/19/07
The facts simply don't support you  NonZealot | 07/20/07
Yes they did !  Non_Zealot | 08/13/07
Uninstall Firefox  lfcervantes@... | 07/20/07
yay!  c00lways@... | 07/24/07
Seems to me...  erikmidtskogen | 07/24/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More