November 16th, 2007
Belated Firefox patch coming for (another) protocol handling bug
Mozilla security chief Window Snyder says the “jar:” protocol handler issue that currently haunts Firefox will be fixed very soon in the next refresh of the browser.
The problem (see previous coverage) is that Firefox’s “jar:” protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt).
[ ALSO SEE: Firefox feature introduces danger ]
On the official Mozilla security blog, Snyder explains the vulnerability and attack vector:
Firefox supports the Java Archive URI scheme that allows the addressing of the contents of zip archives. An attacker may upload a zip format file to a trusted site that allows users to upload content. The victim clicks on a link on the attacker’s website or in an email that links to the uploaded content on a trusted site. Since the content is loaded from the trusted site, content from the zip file runs in the context of the trusted site. This may allow the attacker to access information stored on the trusted site without the victim’s knowledge.
There is a second issue that if a zip archive is loaded from a site through a redirect, Firefox uses the context from the initiating site. This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site.
There is a proof of concept that demonstrates these issues in an attack against GMail that allows the attacker access to the victim’s stored GMail contacts.
The GMail proof-of-concept is available here.
Starting with Firefox 2.0.0.10, which is currently in testing, the browser will only support the jar scheme for files that are served with the correct application/java-archive MIME type. Firefox will also adjust the security context to recognize the final site as the source of the content, Snyder said.
Snyder did not say why it took nearly eight months to address this vulnerability, especially since it was found internally back in February by Mozilla’s Jesse Ruderman.
Also see Giorgio Maone’s detailed description of this issue, which includes a criticism of my previous mitigation advice and Maone’s own workaround.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 11/19/07
