Thursday, July 17th, 2008

FireFox Vulns – MFSA 2008-35

Mozilla issued a patch related to an issue I recently reported to them.  The MFSA with details on the issue can be found here.  It’s an interesting issue that demonstrates some of the complexities related to interaction between software from different vendors.  This particular issue makes use of one of my favorite attack vectors, protocol handlers.  The protocol handlers involved in this situation create an opportunity to pass “a command-line URI with the pipe symbols” from a remote webpage to FireFox.exe.  For those that are interested, I’ll provide a small writeup on the issue this weekend.  For those waiting, I’ll also provide a writeup on the Opera protocol handling issue leading to RCE when the Opera team is ready.

 

It’s a crazy coincidence that the FireFox and Opera vulnerabilities come almost one year to the date after Nate McFeters and I reported the original firefoxurl and mailto protocol handling vulnerabilities… and I use the term “reported” loosely :) .  Nate and I have changed over the past year… we’re both older and fatter, but it seems that protocol handlers continue to be as vulnerable as ever.

 

In closing, I want to thank the Mozilla Security Team (Dan Veditz in particular) and the Apple Security Team for working with me on this issue.  It would have been easy for them to point fingers at the other organization, but both teams took responsibility for their portion and comitted to changes.  Thanks guys!  I’ll buy the beers in Vegas!

Posted by xssniper | Filed in Security

  • kuza55

    Ok, I must admit, I’m slightly confused why Mozilla decided to patch the pipes thing *now*.

    I don’t know about you guys, but that was the trick I always needed to use with firefoxurl to get it to launch URLs in Firefox (not as glamorous as code-exec, but I was interested in cross-browser xss at the time when people were recommending things like people use different browsers for different things), so why the long delay?
    Were they waiting for exploit code to pop up again?

  • http://blogs.zdnet.com/security Nate McFeters

    Hahaha, not just older and fatter, but both much more married than we were last year.

  • http://r00tin.blogspot.com rob

    I love their recommendation on this:

    “Using Firefox, or making sure it is at least running, prevents this attack.”

    Don’t want to get pwned? Just add Firefox to your Startup folder!