Zero-day vulnerability hits Firefox and IE
Security researcher Thor Larholm has discovered a zero-day vulnerability that could lead to remote attackers hijacking systems running both Internet Explorer and Firefox.
Larholm is calling this an IE zero day, blaming the vulnerability on an input validation flaw in Internet Explorer that allows users to specify arbitrary arguments to the process responsible for handling URL protocols. It's the same type of input validation vulnerability that Larholm discovered in the Safari 3 beta, he said.
Microsoft says no dice, it ain't IE this time, although a spokesman neglected to say where the vulnerability lies if not in the browser. "Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product," the spokesman said.
At any rate, Larholm says that the vulnerability consists of a flaw in IE's protocol handler that allows for command injection. A successful attack would entail passing and executing arbitrary commands and arguments through the browser's "firefox.exe" process.
The problem comes out of an input validation error when a vulnerable instance of IE is installed on the same system as Mozilla's Firefox browser.
Firefox registers a URL protocol handler named "FirefoxURL" when it's installed. The handler lets other applications launch Firefox if they're capable of handling HTML.
The flaw arises when IE fails to validate the handler and passes any parameters in the request directly to the firefox.exe process as arguments or options.
Exploiting the issue allows a remote attacker to influence command options that can be called through the FirefoxURL handler and therefore execute commands and script code with the privileges of a user running the applications, according to Symantec's Deep Site threat analysis service. Successful attacks can lead to remote unauthorized access, among other consequences.
Attack scenarios include an attacker constructing malicious HTML code to influence command-line parameters that will run when a URI is loaded. The malicious code can be embedded in a Web page or sent through HTML e-mail.
The malicious code may be automatically loaded when the page or HTML e-mail is rendered. This scenario entails a user clicking on a link to get to the malicious site or opening the malicious e-mail.
Even feedback on Larholm's site concerned trying to figure out which browser is vulnerable and which is a vector.
"It may be worth noticing that this is NOT an Internet Explorer flaw, but a Firefox flaw," said a feedback post from Michael Mattson on Larholm's site. "Why the author would title this article 'Internet Explorer 0day Exploit' is really misleading, and shows the authors lack of understanding of how programs register URI's. This is CLEARLY an issue with Firefox and its flawed URI registration."
"Firefox is the current attack vector but Internet Explorer is to blame for not escaping … characters when passing on the input to the command line," Larholm responded. "I agree that Firefox could have registered its URL handler with pure DDE [Dynamic Data Exchange] instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely."
To mitigate risk, Symantec is advising customers to avoid following links from unknown or untrusted sources and for users to be wary of visiting untrusted or unfamilar sites or following links provided by unknown or suspicious sources.
In addition, Symantec says, don't accept communications that originate from unknown or untrusted sources, and never open or accept unsolicited HTML e-mail, because it may provide an attack vector for numerous vulnerabilities. Also, filter all HTML e-mail or disable client support for HTML e-mail.
Run all software as a nonprivileged user with minimal access rights, Symantec also advises. To limit the impact of client vulnerabilities, perform all nonadministrative tasks, such as reading e-mail and browsing, as an unprivileged user with minimal access rights.
Return to internet news headlines
View Internet News Archive