Mozilla is working to fix a flaw in the JAR URL handler that could leave Firefox users open to cross-site scripting attacks that are impossible for anti-virus programs to prevent.
It turns out that the vulnerability, first reported in February by Jesse Ruderman, is far more serious than first realized. In fact, it turns out to be endemic to “almost everything that smells like Web 2.0,” security researcher Petko D. Petkov, also known as “pdp” of GNUCitizen, wrote in a Nov. 7 posting.
At risk are any applications that allow the upload of JAR/Zip files, such as Web mail clients, collaboration systems or document sharing systems, Petkov wrote. A JAR (Java Archive) file, used for aggregating multiple files into one, is generally used to distribute Java classes and associated metadata, but the protocol is not restricted to use with Java archives and will open any .zip format file.
Document formats, such as the ODT (OpenDocument Text) file format in OpenOffice and the Microsoft Office 2007 Open Document Format, are both based on Zip and as such are particularly vulnerable, Petkov said.
An attacker who creates a simple document in either of those two popular programs could change its extension to .zip and then be able to modify the format at will, he said— by adding a malicious page with a client- or server-side attack inside the archive, for example. Then, the attacker need only to change the extension back to .odt or .doc to have an exploit that would evade security filters and redirect the program in question to a malicious page.
“Once the malicious Zip/Doc/Odt/Etc/Etc/Etc file is uploaded/shared attackers will be able to cross-script the origins in whatever way they like,” Petkov wrote. Petkovs research has shown that many applications are affected by the issue, including some coming from Google and Microsoft. “[The] number [of affected applications] is so big that it makes almost no sense to try to list them all here or even be bothered to individually investigate all of the related issues in detail. The root cause is only one: the jar: URL protocol handler.”
The bad news continues: The JAR URLs can also be used to obfuscate malicious payloads to an extent that they will go unrecognized by anti-virus software, Petkov said.
To read about the thousands of unprotected databases that litter the Internet, click here.
“The protocol handler [can] be nested (jars within jars within jars) and can encapsulate the data: protocol as well,” he wrote. “Attackers can easily write a self-extracting payload which is hidden behind multiple [permutations] of both the jar: and data: protocols and as such evade intrusion detection and prevention mechanisms that might be on place to guard the perimeter.”
Mozilla said in a Nov. 17 posting that a successful attack would look like this: “An attacker may upload a zip format file to a trusted site that allows users to upload content. The victim clicks on a link on the attackers website or in an email that links to the uploaded content on a trusted site. Since the content is loaded from the trusted site, content from the zip file runs in the context of the trusted site. This may allow the attacker to access information stored on the trusted site without the victims knowledge.”
The problem is actually twofold, according to Mozilla. A second issue arises if a .zip archive is loaded from a site through a redirect, at which point Firefox uses the context from the initiating site. That would allow an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site.
A proof of concept involving an attack against Gmail that allows the attacker access to the victims stored Gmail contacts was posted to Mozillas Bugzilla list on Nov. 15.
Mozilla said in its posting that future versions of Firefox, starting with Firefox 2.0.0.10 (currently in testing), will only support the JAR scheme for files that are served with the correct application/java-archive MIME type. Also, Firefox will adjust the security context to recognize the final site as the source of the content.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.