Everything, Everything

2024: January February March
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Whose Fault?
Wednesday 11th July, 2007 13:51 Comments: 1
I saw this when it first appeared on the SecurityFocus mailing list. A vulnerability has been discovered (complete with PoC), which (ab)uses the relationship between IE and Firefox. The exploit is quite effective, but there's just as much controversy over who is actually at fault. Instinctively, I say Mozilla. There are two reasons for this:
  • Firefox does not validate external input
  • Firefox registers the "firefoxurl" URI
Microsoft had a very similar problem three years ago where people used IE as an attack vector to exploit problems with Outlook Express (The vulnerability is caused due to a weakness in the way MHTML URLs are handled. This can be exploited to execute arbitrary code in the "Local Machine" security zone with the privileges of the current user), which was classified as an Outlook Express vulnerability.

Jesper Johansson, a former senior security strategist for Microsoft, said in a blog entry: "This exploit is actually for Firefox, but Thor exploited it by making IE launch Firefox" and "Firefox fails to properly validate the parameters, and any fix will have to come from Mozilla, not Microsoft".

The Register said: Roger Thompson, CTO of Exploit Prevention Labs, says Microsoft shares culpability because IE fails to properly validate the input before passing it along. "I think it's an IE issue mostly, because if you access the exploit directly with Firefox, FF warns you that something bad is happening and advises you to not do it," he said in an instant message.

But I think that's wrong. It would be nice if IE validated the input, but I don't think it should necessarily be expected to validate everything. The third party application should be the one validating all input.

Most importantly, if you try and run the PoC under a default installation of Vista (with UAC and Protected Mode enabled), just like Firefox, it warns you that something bad might be about to happen (unless you previously told IE that it could trust the third party application "Firefox"), so Vista users have ways to mitigate bad things from happening.

Firefox

EDIT: It seems that Firefox is the current attack vector but IE is to blame for not escaping quote characters when passing on the input to the command line. Firefox could have registered its URL handler with pure DDE instead and avoided the possibility of a command line argument injection, but it would be best if IE made it safe to launch external applications. The exploitability on those depend on what arguments each application accepts. If Firefox is already running then IE doesn't instantiate it through the command line, but through DDE instead, so the exploit doesn't work.
Avatar Robert - Saturday 21st July, 2007 11:22
I liked Jesper's analysis of Firefox: http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx

It seems that Firefox doesn't escape URLs, even though it blames IE for not escaping them.
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3