Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • PC Hardware

    Firefox Under the Gun of Yet Another URL-Handling Bug

    By
    Lisa Vaas
    -
    July 26, 2007
    Share
    Facebook
    Twitter
    Linkedin

      The Mozilla Foundation is dealing with yet another URL-handling issue—and this time, researchers have posted a non-malicious proof of concept that shows how the flaw can be used for remote command execution on machines running Mozillas Firefox browser.

      Mozillas URL-handling hassles began earlier in July, when security researcher Thor Larholm found a zero-day vulnerability that can lead to systems getting hijacked. Larholm called it an IE zero-day at the time, blaming the vulnerability on an input validation flaw in Internet Explorer that allows users to specify arbitrary arguments to the process responsible for handling URL protocols. Its the same type of input validation vulnerability that Larholm discovered in the Safari 3 beta, he said at the time.

      The vulnerability involved IE as an entry point and Firefox as the application receiving bad data. There ensued much passing of the buck following this earlier URL-handling flaw, with Microsoft blaming Firefox and Mozilla blaming IE and much the blogosphere doing its part in the blame game.

      Mozilla Security Chief Window Snyder owned up to the issue on July 23, though, saying that Mozilla had found a new scenario over the weekend in which Firefox could be used as an attack entry point in various ways. Specifically, while browsing with Firefox, Snyder said, a malicious URL could be used to pass along bad data to another application.

      “We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in Mozillas security blog. “We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so were investigating it now.”

      The current URL handling flaw, which Mozilla, based in Mountain View, Calif., is now working to patch, was discovered by Bill Rios—a senior security consultant for VeriSign—and Nate McFeters—a senior security advisor for Ernst & Youngs Advanced Security Center.

      This URL-handling issue is on Windows XP running Firefox and also infects Netscape and Mozilla browsers. It involves URLs for Web protocols that contain the characters “%00” and that manage to launch the wrong handler. Such URLs appear to be able to launch local programs, with limited argument passing, according to Snyder.

      Rios and McFetters posted a simple proof of concept showing how the flaw could be abused by a remote attacker. The PoC simply opens up the Windows calculator (Calc.exe); “Of course, if someone wanted to, they could execute other more malicious programs / applications,” Rios told eWEEK in an e-mail exchange.

      The researchers listed a number of exploits that can be launched with no user interaction required. “Our example is very innocuous, but it does clearly show that remote command execution on a Firefox users machine is possible,” Rios said.

      The security researchers have used the flaw to successfully test exploits for Firefox, Netscape and Mozilla browsers and said that other browsers are affected by related vulnerabilities. “Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW!” they wrote on their blog posting.

      The researchers explained the dangers of registering URIs for applications, saying that many applications arent designed to handle remote accessibility.

      “Some developers dont understand that registering a URI increases the attack surface for an application because it now makes functionality for that application remotely accessible,” Rios told eWEEK. “Many applications that install URI handlers are not designed to handle remote access to various pieces of functionality … Throw in a lack of sanitization on the browsers part and we have a Perfect Storm.”

      The researchers advise developers to review registered URI-handling mechanisms and audit the functionality called by those URIs to lessen the risk of making applications vulnerable to these types of URL handling problems.

      Theres a lot for developers to look out for. The list of URL handling flaws the two researchers have discovered only in the last month is long. They have discovered a host of command-injection flaws due to browsers not properly sanitizing data: mailto, news, snews, nntp, telnet, aim, firefoxurl, navigatorurl.

      The two have also found buffer overflow vulnerabilities due to applications not properly sanitizing data: in AIM and in res. Also, theyve found multiple Local Program Enumeration issues in IE7 as well as functionality abuse on Firefox.

      Mozilla said the impact to users of the most recently discovered URL-handling vulnerability is unknown at this time. “We are working to verify this and in the meantime, advise users to be cautious when browsing unknown sites,” the foundation said on its security blog.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Avatar
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×