| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Critical Firefox security flaw discovered | |
|
||
| Time: 12:20 EST/17:20 GMT | News Source: News.com | Posted By: Jonathan Tigner | ||
|
A "highly critical" security flaw has been discovered in Firefox, which could allow a malicious attacker to gain remote control of a user's system, according to an advisory issued by Secunia. The security flaw is found in Firefox 2.0 and later versions, due to the way it registers the "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp://, http://, or similar would call other applications," explained Thomas Kristensen, Secunia chief technology officer. But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 164 Last | Next |
The time now is
10:20:07 AM
ET.
Any comment problems? E-mail us |
| #1 By 8556 (12.207.97.148) at 7/10/2007 12:56:47 PM |
|
This should bring ten plus postings as we digitally bash each other's browser preferences. May the fun begin..... (Go Opera!)
So far my predictions posted here have all been wrong. Keep it at 100% and avoid the easy bitching. Thanks. |
| #2 By 37 (76.210.78.134) at 7/10/2007 1:26:04 PM |
| Firefox and Safari FTW! :-) |
| #3 By 23275 (24.179.4.158) at 7/10/2007 1:28:26 PM |
|
IE 7 Roolz! FF and Saf are communist pawns.
Okay - there's my contribution to being silly. |
| #4 By 37 (76.210.78.134) at 7/10/2007 1:37:12 PM |
| You are so silly. IE 8 Roolz! |
| #5 By 13030 (198.22.121.110) at 7/10/2007 1:55:05 PM |
| Paging NotParker, paging NotParker... |
| #6 By 32132 (142.32.208.232) at 7/10/2007 2:58:45 PM |
|
#5 Did Firefox ask permission before it registered a new, insecure URI handler?
Safari and Firefox = Trojan Horses |
| #7 By 3653 (68.52.143.149) at 7/10/2007 3:05:53 PM |
| lynx baby! |
| #8 By 52115 (66.181.69.250) at 7/10/2007 3:17:39 PM |
|
http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html
If you read how this works, you have to have Firefox v2 installed and visit a site using IE7. How many of your general users (besides your web designers) are going to install Firefox and use IE7 as their default browser? if you install Firefox, you're going to default to firefox. Maybe Mom and Dad and little Billy installs Firefox because its KOOL and Dad uses IE7 because MS is best. But what is Dad visiting to be concerned about this flaw. But still makes me wonder, why aren't more people using OPERA? I do and only really use IE7 for things where our proxy freaks out because of Opera. Opera is still the best web browser out there. |
| #9 By 32132 (142.32.208.232) at 7/10/2007 3:25:46 PM |
|
#8 The IE Pwns Firefox states:
"The danger arises when parameters that are part of the firefoxurl: are passed directly to the Firefox.exe as options, without validation." Can you imagine the screams from Mozilla if IE started deciding what was valid input for Firefox??? This is a Firefox flaw, plain and simple. Firefox registered the URI handler. Firefox should have properly validated the data. |
| #10 By 37 (76.210.78.134) at 7/10/2007 3:55:33 PM |
|
Opera is a great browser, but it doesn't support many sites properly. I can't get it to properly layout OWA 2003, Gmail with talk enabled, Google Apps, most of my sharepoint sites, and many forums get whacked out in Opera.
As a browser, and it's feature set, UI and speed, it does rock though. |
| #11 By 3653 (68.52.143.149) at 7/10/2007 8:41:56 PM |
| maxthon anyone? |
| #12 By 12071 (202.43.138.32) at 7/11/2007 5:33:51 AM |
|
#9 "This is a Firefox flaw, plain and simple. Firefox registered the URI handler. Firefox should have properly validated the data."
It looks like the security researcher, Thor Larholm, who discovered this exploit (and hence knows infinitely more about this topic than you do) disagrees with you (shock horror there I know!): http://larholm.com/2007/07/10/internet-explorer-0day-exploit/ "Michael, Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely. Davo, Internet Explorer doesn’t filter the input for the irc:// or aim:// URL protocol handlers either. The exploitability on those depend on what arguments each application accepts." The Symantec researchers noted that BOTH IE and FireFox are to blame in this particular case: http://news.com.com/8301-10784_3-9741435-7.html This post was edited by chris_kabuki on Wednesday, July 11, 2007 at 05:38. |
| #13 By 15406 (216.191.227.68) at 7/11/2007 9:20:38 AM |
|
It's an IE bug, plain and simple. You must use IE to trigger the bug. Clicking the firefoxurl:// link in Firefox does not trigger the bug. MS claims it's not their bug, so we have a situation where MS could make one fix and it would be solved for good, but since they claim it isn't their fault, everyone else in the world that uses a similar custom tag will have to modify their code to compensate for IE not escaping " chars properly.
|
| #14 By 32132 (66.183.203.110) at 7/11/2007 9:32:21 AM |
|
Its a Firefox flaw. Lots of applications can launch URI's.
Firefox registered the URI handler in a defective manner, and Firefox screws up when it gets the URI's parameters. As one commenter succintly put it: "Complete bollocks - not all applications choose to use the quote character as their literal delimiter. I’ve seen apps use anything from ” to ‘ to [] - what should IE do, escape every single character? And then how would it escape it? Some applications use “” to escape, some use \, some use… you get the idea. This is a Firefox vulnerability and NOTHING more (incidentally, I tested it and it doesn’t work - I get infinite new tabs after the first instance spawns, but nothing else). Claiming it’s an IE exploit is nothing but a load of FUD, and definitely lays doubt on the legitimacy of any “exploit” you claim to find." This post was edited by NotParker on Wednesday, July 11, 2007 at 09:32. |
| #15 By 15406 (216.191.227.68) at 7/11/2007 10:27:33 AM |
|
As Lars, the guy who found the bug put it:
"You can’t blame Firefox for doing what it is told to do, the only problem is that IE will let us specify more stuff that it has to do than was originally intended. Firefox specifically expected to be called with ‘-url “SOMEURL”‘ and if IE had escaped the ” character that I added to SOMEURL then I would have never been able to specify additional command line arguments such as -chrome." And some random guy said this: "I think those blaming firefox haven’t fully understood what is happening here." So that settles it then. |
| #16 By 32132 (142.32.208.232) at 7/11/2007 2:55:21 PM |
|
As I quoted someone else:
"Complete bollocks - not all applications choose to use the quote character as their literal delimiter." "the only problem is that IE will let us specify more stuff ..." So IE should limit what is sent to 3rd party applications???? Imagine the screams of outrage!!!!! |
| #17 By 32132 (142.32.208.232) at 7/11/2007 2:57:02 PM |
|
As the referenced CNET article says:
"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application," said Kristensen. "For example, how should Windows know that the string 'chrome' could be dangerous for Firefox."" |
| #18 By 28801 (71.58.231.46) at 7/11/2007 6:25:57 PM |
|
If any one of us, as developers, wrote an application that could be exposed in this way, it would be our responsibility to plug the hole in our app.
It’s a Firefox issue! |
| #19 By 12071 (202.43.138.32) at 7/11/2007 9:30:47 PM |
| #18 That's the problem, the issue isn't quite as clear cut as some would make it out to be. As Parkkker has mentioned, Windows is a pile of crap when it comes to URI handlers. You cannot blame Firefox for doing what it is being told to do - after all, you don't put the blame on a database server for sql injection now do you? As I see it the only quick fix is to remove the URI Handler (but on this - honestly - just how many firefoxurl uri's are there out there?) as Firefox (and any app for that matter) can't tell if it's being executed from the command line, a shortcut or due to a user clicking on a link and the URI Handler is being invoked. |
| #20 By 32132 (66.183.203.110) at 7/11/2007 11:15:18 PM |
|
"as Firefox (and any app for that matter) can't tell if it's being executed from the command line, a shortcut or due to a user clicking on a link and the URI Handler is being invoked. "
Not true: "Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection" |
| #21 By 28801 (65.90.202.10) at 7/12/2007 10:12:33 AM |
| #19: I'm not blaming the database server. There are methods we can use to prevent SQL injection. If I don't use those methods then I, as the programmer, am at fault. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 164 Last | Next |
The time now is
10:20:07 AM
ET.
Any comment problems? E-mail us |
