netdef (netdef) wrote,
netdef
netdef

Cross-Browser Command Injection Vulnerability

How many Firefox users disable, remove or entirely stop using IE once they install Firefox?

A new vulnerability has been discovered that allows IE to call Firefox and pass parameters that could compromise a users system and allow a remote attacker to take complete control over your computer. As of this writing, there is no official fix from either Microsoft nor the Mozilla group. After an initial flurry of finger pointing, this looks to be the fault of BOTH organizations: IE for not validating calls to external URI's, and Firefox for using a registered handler method that is outdated and known to be insecure.

If you have Firefox installed, then you are probably safe if you only use Firefox and if you set Firefox to be your default browser. You can also de-register the handler that IE uses to call Firefox.

If you don't have Firefox installed, you are immune to this particular attack.



Standard warnings and disclaimers apply if you edit your registry manually! Do so at your own risk. If you are not comfortable with the process, then wait for an official patch and browse cautiously.

Find and backup (export), then delete the FirefoxURL "command" reg key and it's default value at:
[HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command]

The default value will look something like (depending on your Firefox install location):
@="C:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -url \"%1\" -requestPending"

Reboot . . .

Note that if you update Firefox this reg key may be re-written - which is fine if that update includes a future as-yet-to-be-released patch for this problem.

Details about the vulnerability may be found at:

http://larholm.com/2007/07/10/internet-explorer-0day-exploit/
(Including a "safe" test to see if you are vulnerable - good to use after you implement the reg-key workaround above.)

http://secunia.com/advisories/25984/

http://news.com.com/8301-10784_3-9741435-7.html

Edit: Workaround no longer needed. Get patched instead with the new version of Firefox: http://www.mozilla.com/en-US/firefox/2.0.0.5/releasenotes/
Subscribe

  • Moving onwards

    I've only been maintaining a technical blog for the last few years. Find me at https://networkdefend.blogspot.com/ I am also toying with resuming…

  • LOL moment today

    Several lines from this article caused near nasal fountains of coffee. Don't read while drinking! Smell you later, Axe. It turns out that there is…

  • Thinking about my near term future . . .

    Quote that hit home today: “When I was younger I could get so much more done. But I wouldn’t want to be any less than 50. That would be ideal.” --…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment