Cross-browser Firefox/IE flaw worsens

The browser flaw which allows attackers to hijack a computer by using Internet Explorer to launch Firefox is affecting other applications as well. Security researchers Nate McFeters, Billy Rios and Raghav Dube have disclosed information and working exploit code for a similar vulnerability in Trillian. Like the Firefox attack, the Trillian exploit uses a Uniform Resource Identifier (URI) function as the point of attack.

The URI allows the browser to launch a third-party application on the user's system in much the same way that a URL is used to access a web page. When the user visits a specially-crafted page, the application is launched and attack code is run to crash the application and execute code. The attack could be used to remotely install malware on a user's system.

View: The full story
News source: vnunet

Report a problem with article
Previous Story

Microsoft Sets 2008 Launch Plans

Next Story

General Purpose Computing on GPU sometime after 2010

22 Comments

Commenting is disabled on this article.

Nah, it's lazy programming on the part of every other 3rd party application. Basically, Windows has NO IDEA what 3rd party applications use as escape characters on their command line, so it does not attempt to escape outbound URIs registered with the system. If it did, it would horribly mangle command lines to any application which doesn't use standard escape characters. Basically, if you have knowledge of the escape character for an app, you can end the escape sequence early (the opening and closing characters are likely surrounding the "%1" in the definition) and pass parameters directly to the application.

Microsoft's answer has always been to strongly encourage developers to use DDE (Dynamic Data Exchange) - which is, in it's simplest form, similar to AppleScript (possibly even inspired by it) - to talk to the application. Oddly enough, Firefox does this but ONLY when it's already running. I'm not sure with apps like Trillian though of course.

Spoken like the Microsoft PR department. The only correct way to handle security is to do it in multiple layers. As can be seen only god knows how many other programs are vulnerable to similar attack, clearly the only reasonable solution is to consider not escaping quotes a severe security vulnerability in IE and have Microsoft patch it.

Elendil said,
Spoken like the Microsoft PR department. The only correct way to handle security is to do it in multiple layers. As can be seen only god knows how many other programs are vulnerable to similar attack, clearly the only reasonable solution is to consider not escaping quotes a severe security vulnerability in IE and have Microsoft patch it.

You clearly have no idea what you are talking about. Like the OP said, the secure way would be through DDE. Do you blame windows if the 3rd party network application that needs security uses an unsecure protocol? Just because Windows provides you with an unsecure protocol does not mean you have to use it. Alot of other applications also uses URI but it's not a security vulnerability because it doesn't have features that needs the security the DDE provides.

Elendil said,
Spoken like the Microsoft PR department. The only correct way to handle security is to do it in multiple layers. As can be seen only god knows how many other programs are vulnerable to similar attack, clearly the only reasonable solution is to consider not escaping quotes a severe security vulnerability in IE and have Microsoft patch it.

You just get more and more dense don't you? How exactly is Internet Explorer to know that a quotation mark is the ending sequence for a particular app's spaced command line? Just as importantly, how does it know what to escape the escape sequences with? Your suggestion is stupid, and utterly without merit because it relies on every application in the world using the same command lines, escape characters, and multi-word escape sequences. This not being true, your suggestion would result only in horribly breaking some applications, and making some more secure. Unacceptable tradeoff.

It's been noted that DDE is apparently not encouraged any more according to Raymond Chen's blog. Being that there is absolutely no alternative other than (insecure) command lines with parameters, I (from the perspective of a developer) would completely ignore that advice until we get something like AppleScript (I hate admitting Apple did something good). Alternatively, I'd have a secondary application which accepts only ONE parameter (filename) with absolutely no escape codes or sequences, and execute the main application after I've filtered to make sure no codes which would prematurely end any given parameter to my app exist.

I don't get...whose fault is this, microsoft or mozilla?

In order for this to happen you have to have both installed, correct? So is it because of microsoft that this happens once firefox is installed or is it a bug in firefox?

IE is being used as a vehicle to conduct an attack. The only way to prevent it is to disable the functionality, which would break many, many 3rd party apps.

Cross-browser Firefox/IE flaw worsens gets slightly better

If i read this all correctly, Firefox addon NoScript has patched/fixed this for firefox.

NoScript- V. 1.1.6.03 "XSS Was Yesterday"

#The counter-measures against cross-browser exploits already released on June, the 22nd do prevent also this 0 day cross browser remote execution attack. -18day protection? :)

If you are running NoScript, or want to try it here is the link for the newest one on there site, the addons.mozzila.org or whatever there site is usually slow to update, and is probably not showing this yet.

Get it here- http://noscript.net/getit#direct then by clicking direct download link

Occam's razor principle would tell otherwise... but then again what did that guy knew about computers :cheeky:

tibi08 said,
Clearly, this is not a bug in IE but in fact a bug on every other Windows application.

ichi said,
Occam's razor principle would tell otherwise... but then again what did that guy knew about computers :cheeky:

I guess he/she/it(?) was being sarcastic, or he's a die-hard M$ fanatic *COUGH*FANBOI*COUGH*. Anyways, expect every OTHER applications to "fix" (or adapt to evade Microsoft's FEATURES) right before Microsoft decides to fix it one day. The solution I'd recommend is to evade using Internet Explorer, or google for a fix for it? I don't even care about that since the only application that has registered URI's on my PC is firefox, and I've got the fix for it. (Thanks Boktai1000)

IceDogg, read http://neowin.net/index.php?act=view&i...&cid=566100 if you want the explanation.

Azmodan said,
I guess he/she/it(?) was being sarcastic, or he's a die-hard M$ fanatic *COUGH*FANBOI*COUGH*.

We can therefore conclude that while sarcarsm is universal (gender wise), die-hard M$ fanatics *COUGH*FANBOIs*COUGH* are, without doubt, male.

It's not like their gender is actually important since it's common knowledge that *COUGH*FANBOIs*COUGH* of any sign are quite unlikely to procreate :cheeky: