July 31st, 2007
Mozilla fixes its end of URL protocol handling saga
Mozilla has fixed its end of the controversial URL protocol handling vulnerability that puts Windows users at risk of PC takeover attacks.
Exactly a week after admitting that Firefox was just as guilty as Internet Explorer when it comes to passing dangerous data to third party applications, the open-source group shipped Firefox 2.0.0.6 with workarounds and patches for two related vulnerabilities.
[ SEE: Mozilla caught napping on URL protocol handling flaw ]
The main fix (MFSA2007-27) corrects an issue found by former Microsoft security strategist Jesper Johansson where Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling. The danger here is that the receiving program to mistakenly interpret a single URI as multiple arguments.
In its advisory, Mozilla said the Firefox and Thunderbird 2.0.0.6 releases contain fixes that prevent the original demonstrations presented by Johansson, but warned that it it is still possible to launch a filetype handler based on extension rather than the registered protocol handler.
“A way to exploit a common handler with a single unexpected URI as an argument may yet be found. Since this handling is a property of the Windows Shell API this variant appears to affect other internet-enabled applications that pass these URIs to the Windows Shell,” Mozilla explained.
The company is suggesting the following workaround:
By default Firefox will ask before launching external protocol handlers, and these prompts should be denied from sites that are not trustworthy, especially if the requested URL contains spaces and double-quote (”) characters. An exception is made for mail-related protocols in Firefox, they do not prompt by default. If the default mail handler is Thunderbird 2.0.0.5 or later there will not be a problem, but if another program or older version of Thunderbird is the default handler then mail URIs can be made to prompt as well. (Similarly, in Thunderbird browser protocols like
http:andftp:do not prompt but instead launch the default browser.) To make mail-related links prompt in Firefox before launching external programs:
-
- Enter about:config in the location bar
- Enter warn-external in the Filter: box
- Double-click to set the mailto, news, nntp, and snews lines to true
Firefox 2.0.0.6 also corrects a privilege escalation issue through chrome-loaded about:blank window.
Microsoft’s Internet Explorer can still be used as an attack vector for passing malicious data to third-party Windows apps but the software maker does not consider this a vulnerability that needs to be patched.
The patches will be delivered automatically over the next 24-48 hours via the built-in auto-update mechanism. Firefox users can manually download the update from GetFirefox.com.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
