Firefox and IE together brew up security trouble

UPDATE: Blame them both.

That's the latest update from security researchers who initially laid the blame on Microsoft's Internet Explorer for the latest zero-day exploit that also can afflict those using the Firefox Web browser.

Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.

Earlier Tuesday, security researcher Thor Larholm, who discovered the IE flaw, and security research giant Symantec put much of the blame on IE, while Secunia's Thomas Kristensen, chief technology officer, attributed the problem to Firefox versions 2.0 or later.

"It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm, in response to a reader's comments. "I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications."

Friedrichs noted that while Firefox, which released version 2 in October, has gained in popularity, most Firefox users will also have IE loaded on their computers, since it comes with the Windows operating system.

The number of people who may be at risk could be substantial, he added.

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp://, http://, or similar would call other applications."

But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.

An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.

"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application," said Kristensen. "For example, how should Windows know that the string 'chrome' could be dangerous for Firefox."

Other than avoiding malicious Web sites, system administrators could unregister, or remove, the "Firefox URL" URI handler, as well as change the way Firefox accepts the chrome input, Kristensen said.

[afolgueira]

Well Second Major flaw in less than two months

ohh you MS haters are you guys now, IE7 is far more advance and secured than Firefox dispite what your blind people may say, including many of Cnet.com staff members.

[pjonesCET]

Re: Well Second Major Flaw in less than two months

The problem is not so much with FireFox, But Microsoft's OS allowing anything and everything to happen.

If MS would totally abandon the core code That been in use since 1980's and switch to either UNIX like Apple did on the Mac OS, or even Linux. The Virus and Malware would be shut down immediately. Either , Mac. UNIX, or Linux when something ask you to execute a file it ask your permission. Making you the user totally responsible for screwing up your computer.

ALso how many Falws in IE/6/7 That may not being reported?

[Hoser McMoose]

Flaw in both

This is as much a critical flaw with IE as it is with Firefox. Even if Firefox fixes things on their end the hole still exists on IE's end and could be exploited using any other application that registers URIs (eg. a P2P file sharing software, an FTP client, etc.) and can be exploited from the command line.

Really this needs to be fixed on both ends of the problem. IE shouldn't be just sending random junk to the command line with no error checking while Firefox should not be accepting command lines without proper error checking.

[tonycomputerguy]

Wow... Just wow.

Yeah, you don't know very much about computers... I can tell with my amazing "Noobdar" (copyright 2007 :P ) See, I clean out systems for a living, first thing I do after cleaning out virii and malware is remove all links to IE. (9 times out of 10 it being the root of the problem to start with) Then I install opera and firefox and let the user decide which one they like. If you really think that Firefox is just a copy of IE I suggest you try doing a little research, seriously, have you only been online for a few months or do you just not pay attention to anything except for your own malformed opinions? I literally laughed out loud when I saw your 2nd post, almost as hard as when I saw IE7 for the first time. It looked like an exact copy of Firefox. I'll agree with the other poster on here, that Firefox has gotten a bit bloated as of late, and opera IS a great browser, I'm just hooked on Firefox, personal preference and all that... But I have an old 500MHZ system with 256 ram that's basically just a news aggregater, and I occasionally surf on it, and firefox runs GREAT on it, way better than IE could ever hope to. Also, the plug-ins and extensions system is just plain awesome, what a great developer and user community! I can't remember the last time I even saw any ads on a website (Not just talking about popups, I mean banners, etc...) thanks to ad-block plus. So yeah, You really shouldn't comment so negatively when you have no clue what you are talking about, all you do is confirm the stereotype that IE users are moronic noobs who are ripe for the hijacking. As for this being a major security flaw... Eh... seems like there's a lot of crazy things that need to happen in order for it to be a real threat, first and foremost being someone actually using IE after they've installed Firefox (Besides updates for the 20 security flaws a month that come out for XP) But whatever, I'm sure they will issue some kind of security update like they always do. I use Linux anyway, so it's not even half a problem for me. Take care now silly man, try out this crazy site called google or wikipedia next time before you assume you know what you are talking about. The fact that a security flaw in firefox is such big news, compared to them being discovered so often in IE that people don't even consider it 'shocking' news anymore, should go a long way to show what a great piece of software Firefox is. Peace!

[Sunflare98]

haha

first sentence: "which could allow a malicious attacker to gain remove control of a user's system"

I'm sure they love gaining "remove" control...

[kool_skatkat]

gain remove control?

to gain *remove* control? ...wouldn't remote control be more like it.

When it's fixed, this can be deleted..

[yellowjester]

Hmmm....I wonder?

Will this effect my laptop running Linux?

[pjonesCET]

Hmmm....I wonder?

No it only affects MS Windows which allows anything and everything to happen. Something has been a problem with MS OS software since it debuted in the 1980's

[Penguinisto]

Hehe - nope.

My Macintosh seems to lack a Registry as well... go figure.

/P

[rivsys]

Haw Haw Haw

EOM.

[ScareYourParadox]

Firefox is fine...

Wow. Two critical flaws discovered in Firefox. As opposed to the what, 50 or so in IE?

And to be honest, the problem seems to be rooted in the way that Windows handles Firefox code. (aka. more fuel for MS haters)

[jdien07]

cnet is supposed to be news, not a blog

What does the opening line mean? "Firefox is the current attack vector but Internet Explorer is to blame for not escaping ? (quote) characters when passing on the input to the command line," This story was not very clear. Fine for an informal blog but not so fine for a cnet article. I'm a little worried about news outlets getting confused about the difference between the blogosphere and the news sphere. There are higher expectations for the news sphere than this. Blogs are for opinions and information that for one reason or another doesn't get provided by the mainstream. News sources are supposed to be for high quality, rigorously written and checked information. Why is a blog like this being presented on the same page and in the same way as the regular news articles? I'm a little worried about news sources turning into blogs to save money on editing and fact checking. We need both.

[Penguinisto]

as the MFST fanboys cry: "oops!"

...guess it isn't just a Firefox problem after all.

Must suck to do all that astroturfing in this thread, then have the rug pulled out from under ye by real events... >:)

/P

[Microsoft_Facts]

The fault lays with Microsoft...

...by default, until proven otherwise. A statistically significant best guess based on the history of MS and its (in)security.

[markdoiron]

Questionable Assumption in Article

"Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE ..."

While using IE? There are people out there who actually use IE after installing Firefox? Why? Except where MS insists on it (on their website), I avoid IE like the plague.

mark d.

[Fireweaver]

Using Firefox is Safe

Exactly.
For some reason they seem to really beat the Firefox critical flaw with remote control issue to death and the barely breeze past the fact that you need to be using IE to have it affect you.

Go figure.

[morninglory]

Have to use IE for Outlook Xpress

I don't like IE (I have 6.0) but when I open my Outlook Express it is ALWAYS in IE. I have also
been to sites to download, using FF browser, and
am told I must use IE to download the program.
That is the ONLY time I use IE. I did install IE 7 but hated it, removed it and went back to
IE 6 which I also don't like.

[natejohnstone]

FireFox on a Mac...fine.

As usual, no problems for the Mac side of the world. One of the main reasons why I switched this year--got sick of malware, adware, crapware, and every other type of ware you can think of.
Now my 1-year old computer is still fast and happy instead of bogged down.
i love Firefox, so I hope they solve or plug whatever issues are here.
Just thought I'd share :)

[psychosmurf]

Oh get off it. . .

. . . Mac's are just as insecure as Windows and this argument is just bullsh*t. Go back in your glass house and stop throwing stones.

[Fireweaver]

FireFox on PC... fine

If you use Firefox on your PC you're fine, too. This flaw is exploited when someone is using IE to surf the web AND they have FireFox installed.

If they use FireFox to surf they're fine. And why would you install FireFox just to use IE still? Hmmm...

[GeoNorth]

Actually...

...the flaw is in Firefox. The same Firefox that you'll find on MacOSuX and Linux

And my Windows PC ran smoothly for more than 1 year, it actually doesn't take much nous to keep a Windows PC free of malware, adware, or crapware although I must point out that your pristine Mac is absolutely crawling with software and is itself hardware...

Just thought I's share :)

[g.maone]

NoScript

It's worth noticing that that Firefox users with the NoScript add-on installed have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622

More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' "Universal XSS" PoC), no matter if attempted through the "firefoxurl:" handler (like in this specific case) or by other means we don't know yet (if any exist).
Hence, these protective features are here to stay, since the upcoming Firefox 2.0.0.5 just fixes the "firefoxurl:"/command line known exploit.

[spartincus]

FF 2.0

Here's the deal.

I have MS IE7 installed and working erratically.
I've also discovered that there is "some version of Mozilla Firefox 2.0" installed in my system but it was not installed by me.

Don't ask "how" (FF 2.0) ended up in the system but I have some idea as to what's going on and how this is occuring.

[RustedGod]

Fixed in Firefox, no fix for IE

See http://www.mozilla.org/security/announce/2007/mfsa2007-23.html