Mozilla flaw attack code published

Mozilla is working on patching its Firefox browser after a hacker posted details of a flaw that could let criminals run unauthorized software on a victim's machine. The flaw lies in Firefox's URL handler component, which was the source of another bug Mozilla disclosed Tuesday. This second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young respectively.

Like the first flaw, this one could be exploited by attackers to launch programs on the victim's PC without authorization, said Tyler Reguly, a security research engineer at nCircle Network Security. "They're both related to the URL handling process," he said "It's just different errors within that handling process." Even though the code posted by Rios and McFeters can only be used to launch software that is already installed on a victim's PC, it could be very dangerous if used by criminals, Reguly said. "It's still letting you run any program that exists on the user's computer," he said. "You can make it do some fairly bad things. For example, having it use command-line FTP to download a malicious file off a server somewhere and then execute that file."

View: The full story
News source: InfoWorld

Report a problem with article
Previous Story

New Intel IGP Driver to deliver boost? Mobo makers say no!

Next Story

U.S. Standards Committee Still Undecided on Open XML

15 Comments

Commenting is disabled on this article.

Apparently it seems that the IE7 have a bug also, on Microsoft Windows URI Handling Command Execution Vulnerability.
Check here.

I know you didn't write this, but it's the stupidest advice I've seen for handling a vulnerability.

Solution:
Do not browse untrusted websites or follow untrusted links.

So stop using the Internet then??

Is there a site on more info about URL handling process in general? I like to know 1) How to disable them entirely. 2) What they are used for exactly..because my thinking now is I don't really need them.

Since it seems to rely on executing an already-installed local app on that PC, then they would have to call out something like "C:WindowsSystem32calc.exe". That would do nothing on my Linux box. But an exploit that tried to invoke "/usr/bin/kcalc" would find a target on my box, but not yours (nor an Ubuntu box, or other Linux boxes that used Gnome, for example)

EXO242 said,
Does this apply to all Operating Systems?

I think it would.

They would most likely have it aimed at Windows since it's the most widely used OS, but I don't see why they couldn't have one way to run the exploit on each OS. Maybe try something like an OS detection then run the command used for that specific OS. I'm not a coder or anything, but I don't see how that couldn't be done. Websites detect the OS you use all the time.

With this being an issue with both IE and Firefox and I was a "hacker", I'd try to use it in a way that it attacks all of the OS's.

Cryingcure said,

I think it would.

They would most likely have it aimed at Windows since it's the most widely used OS, but I don't see why they couldn't have one way to run the exploit on each OS. Maybe try something like an OS detection then run the command used for that specific OS. I'm not a coder or anything, but I don't see how that couldn't be done. Websites detect the OS you use all the time.

With this being an issue with both IE and Firefox and I was a "hacker", I'd try to use it in a way that it attacks all of the OS's.

No, it doesn't. The URI handler exploit is basically using Internet Explorer to execute attacks based on other applications installed that uses a URI. That's why it happens on Trillian and Firefox.

Can Microsoft please release a tool to uninstall Internet Explorer entirelly? Please? I'll try this www.litepc.com/ieradicator.html at home. Hopefully the process won't kill Windows...

On other news:

http://www.heise-security.co.uk/news/93384

The bickering between Microsoft and the Mozilla Foundation about registered protocol handlers and the resulting security problems continues. A new demo has been published, illustrating how the latest version of Firefox running under Windows XP SP2 can be made to start an application using crafted links. Clicking on a manipulated mailto:, nntp:, snews: or news: link opens the command line and the Windows calculator. In principle, any command can be executed and code can be injected and executed via a website in this way.

However, for the demo to work, Internet Explorer 7 needs to be installed.

Yeah, you know who to blame.

From miffo.swe @ /.

"It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input." According to your masters its the receiving application that should do the sanity check. There was a rather heated debate on this a while ago when it was IE who forwarded malicious URLS to Firefox. Also, Firefox told IE to open an URL for all it knows, not some random application. The error is in IE7 no matter how you spin it. Dont forget any application besides Firefox can forward this kinds of URLs to IE7. In short any application you use that connects to web pages is a threat to IE7.

Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox ) but in the receiver (Internet Explorer 7).

Azmodan said,
...
However, for the demo to work, Internet Explorer 7 needs to be installed.
...
I guess this is a single-platform issue, after all.

markjensen said,
guess this is a single-platform issue, after all.

from d3ac0n @ /.

Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat

#5 has the link on the Secunia examples (if anyone tries to tell me im wrong read the article, in this part "Successful exploitation requires that Internet Explorer 7 is installed on the system.).

You are vulnerable if you're using Internet Explorer 7, and this vulnerability has nothing to do with Firefox. So, any software that can have a malformed string can open anything on your computer if you have Windows and Internet Explorer 7. ANY.

edited for the typos..

XerXis said,
@Azmodan, don't make a fool of yourself, neither one of the bugs has anything to do with ie7

Huh? Have you READ THE ****ING LINK? #5? Have you tried the code using the RUN command -- and uninstalling Internet Explorer 7, and see that only works when it's installed?

Jesus, XerXis, do humanity a favor and CHECK THE SOURCES before trying to write something on the internet, don't make a ****ING MORON out of yourself.

This isn't a critic to Microsoft, Apple or Mozilla....

Why so many security holes, being found this last 2 years in browsers...??!!

Well it's humans who code the browsers, and the human isn't perfect..

But now that there are some tools, that can double check code for problems and the attention developers have over security, shouldn't the number of security holes be a lot less??

It's like if i get out of the web for 2 weeks and join again, i almost have the probability of my browser being hacked, because off missing updates.. :confused: