blob: c91fca4a6d06dbb00160ce72cbdb14e7c743e2a5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
Yet another vulnerability in Firefox's URL handler component was published earlier this week. As with earlier bugs, the new flaw could allow crackers to run unauthorized software on a victim's machine.
An earlier bug that exploited the URI handler has already been addressed. Though a patch has not yet been released, the item is [listed as "Resolved Fixed"][2] in the Mozilla bug tracker.
Firefox's URI handler has caused problems for Mozilla ever since security researcher Thor Larholm [showed][1] that the way Internet Explorer and Firefox pass URIs between them could be exploited to launch software without authorization.
Mozilla initially claimed the bug lay with Explorer, but later retracted that statement and admitted the Firefox was at least partly fault.
It's difficult to keep track of all these exploits because they essentially do the same thing, but use different mechanisms to pass through the URI. The basic gist of the attack is that you visit a malicious site in IE which then calls up Firefox 2 and passes through a URI and parameters.
These parameter strings can be nearly anything. An early proof-of-concept attack created a new Firefox user profile without authorization, but much worse could be achieved.
Billy Rios, who [reported the latest version of the URI attack][3], says that developers should use caution in allowing their applications to register a URI handler.
>Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URI handling mechanisms and audit the functionality called by those URIs…
For those of us at the user end of spectrum, Mozilla says that they are working to solve this latest attack and that a patch should be forthcoming. And remember this flaw is only a vulnerability if you're using IE and have Firefox installed.
[1]: http://blog.wired.com/monkeybites/2007/07/security-flaw-d.html
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=389580
[3]: http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/
|
