Tuesday, July 24th, 2007

Remote Command Execution in FireFox et al

**** UPDATE ****

Apparently this flaw affects Firefox users that also have IE7 (with full security patches) on their system.  Just to be clear, this vulnerability is delivered through the Firefox browser, NOT IE.  You simply have to have IE7 installed somewhere on your system for this to work (which is basically most WindowsXP Sp2 systems)  You can read about the details HERE.   So it seems once again… as my first post (HERE) about URI handling issues stated…. IE PWNS Firefox…..

  

On a good note… I’ve noticed that this Mozilla bug ID has been changed to RESOLVED – FIXED.  That was LIGHTING FAST…  I’ll be waiting for the patch to get pushed out…

**** UPDATE ****

   

IE has gained a LOT of attention from the way it handles registered URIs.  We (Nate McFeters and I) have repeatedly mentioned that IE isn’t the only browser that has issues dealing with registered URI handlers.  In fact, some of the behavior exhibited by URI handling issues by other browsers can lead to remote command execution…. some examples can be found here.

  

Once again….  these issues are shown using FireFox (2.0.0.5), Netscape Navigator 9, and Mozilla, but many other browsers are affected as well.  It’s time to take a good look at the registered URI handlers and how browsers interact with those registered URI handlers!

    

Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application.  Please review your registered URI handling mechanisms and audit the functionality called by those URIs…

   

NOTE:  If another program (outlook, notes…etc) has modified the registered URI handlers on your machine, these examples may not work…

Posted by xssniper | Filed in Security