Firefox Wont Save You from IE Flaws

 
 
By Lisa Vaas  |  Posted 2007-09-19 Print this article Print
 
 
 
 
 
 
 

Users running Firefox are vulnerable to IE flaws via files supported by Windows Media Player, a researcher shows.

Running Firefox or Opera as a default browser wont save you from unpatched Internet Explorer vulnerabilities—a fact made explicit when a researcher showed how easy it is to put HTML inside files supported by Windows Media Player. Researcher Petko D. Petkov said in a Sept. 18 blog posting that hes found that a fully patched Windows XP Service Pack 2 system running Internet Explorer 6 or 7 along with Windows Media Player 9—the default, although the media player is now up to Version 11—will open any page of an attackers choice even if the default browser is not Internet Explorer. The broader implication is that even users who think theyre safe because they dont run IE are exposed to any IE vulnerabilities out there, Petkov said. This is true not only for Windows Media Player users but also for those who run Skype, GTalk and AIM, given that those applications all use IE for rendering incoming and outgoing messages, he told eWEEK in an e-mail.
"Many users dont realize that they are running IE most of the time, although their default browser is Firefox, Opera, Safari or whatever it might be," he said.
The preferred browser for Windows Media Files is also IE, given Microsofts proprietary formats, he said. "Therefore, a movie running in Windows Media Player will use no other browser but IE itself, regardless of your settings," he said. In other words, running a fully patched version of Firefox with an unpatched version of IE is just as big a security gamble as running unpatched Firefox. He gave this example: Firefox opens a security confirmation box when the attacker wants to launch an application through a URL handler. IE does not. However, attackers can force a page to open in IE, thereby opening an external application and enabling them to launch an attack such as a Second Life exploit he described earlier the week of Sept 17. Such an attack can be embedded inside a Windows Media Player meta file, he said. "Even if you are a Firefox user, the attack will work. Of course you have to open the meta file first." Petkov said the vulnerability can be used in some "very, very interesting" phishing attacks. He himself prepared a simple proof of concept that spawns a window in full-screen mode, noting that it would be simple to fake a Windows log-out/log-in sequence to phish credentials from victims. Petkov has been on a roll lately when it comes to the hidden dangers he sees in so-called "media meta files." One such media meta file is QTL, the format that was exploited in a recent QuickTime vulnerability he discovered. (Mozilla fixed the QuickTime vulnerability in Firefox on Sept. 18, but Apple has yet to fix the primary QuickTime flaw.) Other media meta files include ASX, a format that hes working to bring attention to now, saying that problems "could easily emerge" with the format. Petkov told eWEEK that the best way to protect a system from the Windows Media Player vulnerability is to upgrade to Windows Media Player 10 or 11. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel