Thursday, July 17th, 2008
Mozilla issued a patch related to an issue I recently reported to them. The MFSA with details on the issue can be found here. It’s an interesting issue that demonstrates some of the complexities related to interaction between software from different vendors. This particular issue makes use of one of my favorite attack vectors, protocol handlers. The protocol handlers involved in this situation create an opportunity to pass “a command-line URI with the pipe symbols” from a remote webpage to FireFox.exe. For those that are interested, I’ll provide a small writeup on the issue this weekend. For those waiting, I’ll also provide a writeup on the Opera protocol handling issue leading to RCE when the Opera team is ready.
It’s a crazy coincidence that the FireFox and Opera vulnerabilities come almost one year to the date after Nate McFeters and I reported the original firefoxurl and mailto protocol handling vulnerabilities… and I use the term “reported” loosely :). Nate and I have changed over the past year… we’re both older and fatter, but it seems that protocol handlers continue to be as vulnerable as ever.
In closing, I want to thank the Mozilla Security Team (Dan Veditz in particular) and the Apple Security Team for working with me on this issue. It would have been easy for them to point fingers at the other organization, but both teams took responsibility for their portion and comitted to changes. Thanks guys! I’ll buy the beers in Vegas!