Firefox Wont Save You from IE Flaws

Running Firefox or Opera as a default browser wont save you from unpatched Internet Explorer vulnerabilities—a fact made explicit when a researcher showed how easy it is to put HTML inside files supported by Windows Media Player.

Researcher Petko D. Petkov said in a Sept. 18 blog posting that hes found that a fully patched Windows XP Service Pack 2 system running Internet Explorer 6 or 7 along with Windows Media Player 9—the default, although the media player is now up to Version 11—will open any page of an attackers choice even if the default browser is not Internet Explorer.

The broader implication is that even users who think theyre safe because they dont run IE are exposed to any IE vulnerabilities out there, Petkov said. This is true not only for Windows Media Player users but also for those who run Skype, GTalk and AIM, given that those applications all use IE for rendering incoming and outgoing messages, he told eWEEK in an e-mail.

“Many users dont realize that they are running IE most of the time, although their default browser is Firefox, Opera, Safari or whatever it might be,” he said.

The preferred browser for Windows Media Files is also IE, given Microsofts proprietary formats, he said. “Therefore, a movie running in Windows Media Player will use no other browser but IE itself, regardless of your settings,” he said. In other words, running a fully patched version of Firefox with an unpatched version of IE is just as big a security gamble as running unpatched Firefox.

He gave this example: Firefox opens a security confirmation box when the attacker wants to launch an application through a URL handler. IE does not. However, attackers can force a page to open in IE, thereby opening an external application and enabling them to launch an attack such as a Second Life exploit he described earlier the week of Sept 17.

Such an attack can be embedded inside a Windows Media Player meta file, he said. “Even if you are a Firefox user, the attack will work. Of course you have to open the meta file first.”

Petkov said the vulnerability can be used in some “very, very interesting” phishing attacks. He himself prepared a simple proof of concept that spawns a window in full-screen mode, noting that it would be simple to fake a Windows log-out/log-in sequence to phish credentials from victims.

Petkov has been on a roll lately when it comes to the hidden dangers he sees in so-called “media meta files.” One such media meta file is QTL, the format that was exploited in a recent QuickTime vulnerability he discovered. (Mozilla fixed the QuickTime vulnerability in Firefox on Sept. 18, but Apple has yet to fix the primary QuickTime flaw.) Other media meta files include ASX, a format that hes working to bring attention to now, saying that problems “could easily emerge” with the format.

Petkov told eWEEK that the best way to protect a system from the Windows Media Player vulnerability is to upgrade to Windows Media Player 10 or 11.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.