Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • PC Hardware

    Firefox Under the Gun of Yet Another URL-Handling Bug

    By
    Lisa Vaas
    -
    July 26, 2007
    Share
    Facebook
    Twitter
    Linkedin

      The Mozilla Foundation is dealing with yet another URL-handling issue—and this time, researchers have posted a non-malicious proof of concept that shows how the flaw can be used for remote command execution on machines running Mozillas Firefox browser.

      Mozillas URL-handling hassles began earlier in July, when security researcher Thor Larholm found a zero-day vulnerability that can lead to systems getting hijacked. Larholm called it an IE zero-day at the time, blaming the vulnerability on an input validation flaw in Internet Explorer that allows users to specify arbitrary arguments to the process responsible for handling URL protocols. Its the same type of input validation vulnerability that Larholm discovered in the Safari 3 beta, he said at the time.

      The vulnerability involved IE as an entry point and Firefox as the application receiving bad data. There ensued much passing of the buck following this earlier URL-handling flaw, with Microsoft blaming Firefox and Mozilla blaming IE and much the blogosphere doing its part in the blame game.

      Mozilla Security Chief Window Snyder owned up to the issue on July 23, though, saying that Mozilla had found a new scenario over the weekend in which Firefox could be used as an attack entry point in various ways. Specifically, while browsing with Firefox, Snyder said, a malicious URL could be used to pass along bad data to another application.

      “We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in Mozillas security blog. “We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so were investigating it now.”

      The current URL handling flaw, which Mozilla, based in Mountain View, Calif., is now working to patch, was discovered by Bill Rios—a senior security consultant for VeriSign—and Nate McFeters—a senior security advisor for Ernst & Youngs Advanced Security Center.

      This URL-handling issue is on Windows XP running Firefox and also infects Netscape and Mozilla browsers. It involves URLs for Web protocols that contain the characters “%00” and that manage to launch the wrong handler. Such URLs appear to be able to launch local programs, with limited argument passing, according to Snyder.

      Rios and McFetters posted a simple proof of concept showing how the flaw could be abused by a remote attacker. The PoC simply opens up the Windows calculator (Calc.exe); “Of course, if someone wanted to, they could execute other more malicious programs / applications,” Rios told eWEEK in an e-mail exchange.

      The researchers listed a number of exploits that can be launched with no user interaction required. “Our example is very innocuous, but it does clearly show that remote command execution on a Firefox users machine is possible,” Rios said.

      The security researchers have used the flaw to successfully test exploits for Firefox, Netscape and Mozilla browsers and said that other browsers are affected by related vulnerabilities. “Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW!” they wrote on their blog posting.

      The researchers explained the dangers of registering URIs for applications, saying that many applications arent designed to handle remote accessibility.

      “Some developers dont understand that registering a URI increases the attack surface for an application because it now makes functionality for that application remotely accessible,” Rios told eWEEK. “Many applications that install URI handlers are not designed to handle remote access to various pieces of functionality … Throw in a lack of sanitization on the browsers part and we have a Perfect Storm.”

      The researchers advise developers to review registered URI-handling mechanisms and audit the functionality called by those URIs to lessen the risk of making applications vulnerable to these types of URL handling problems.

      Theres a lot for developers to look out for. The list of URL handling flaws the two researchers have discovered only in the last month is long. They have discovered a host of command-injection flaws due to browsers not properly sanitizing data: mailto, news, snews, nntp, telnet, aim, firefoxurl, navigatorurl.

      The two have also found buffer overflow vulnerabilities due to applications not properly sanitizing data: in AIM and in res. Also, theyve found multiple Local Program Enumeration issues in IE7 as well as functionality abuse on Firefox.

      Mozilla said the impact to users of the most recently discovered URL-handling vulnerability is unknown at this time. “We are working to verify this and in the meantime, advise users to be cautious when browsing unknown sites,” the foundation said on its security blog.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×