Browser

The flaw that "Firefoxed" Internet Explorer


Firefox flawA few days back there was immense furor over the zero-day vulnerability that used a potential handling of a FireFox URL protocol by IE to execute malicious JavaScript code. The flaw was triggered on a system with FireFox installed and IE used for browsing.

Here's a description of the flaw from InformationWeek:

If someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL. Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

The flaw needed a certain degree of user-interaction (lockergnome) to be activated and the folks at Mozilla have patched the issue in their 2.0.0.5 browser release. What's deeply intriguing about the flaw is how it uses the interface among the applications (in this case IE and Mozilla) to launch an attack.

The flaw sparked a lot of sparring between executives of Mozilla and Microsoft (TechWorld), each blaming the other's API call for the flaw. Software makers can ensure a lot of security around their internal code, but when it comes to APIs they expose to third-party software, the usage is in the hands of the third party and may present vulnerable end points.

Bottom-line

Be wary of the software installed on the system that you use. Even unused software APIs can act as potential entry points for malware and trigger an exploit.

8 comments
angrykeyboarder
angrykeyboarder

What is that? Something like chrome:// or about:config ?

RealAusTech
RealAusTech

be using Internet Explorer to browse? Unless it was a specific site that uses MS web extensions that don't render properly in FF or another browser, there is no need to do this. And if that was the case (MS extensions), why would such a URL be present? Why present the flaw this way at all? It would be present in FF anyway, and clicking on the link would activate the malware anyway, unless the browser had JavaScript disabled. If we are going to go down this path, why not forget about ActiveX and any other items that require an executable program to use the flaw. I couldn't help but notice that it required the user to click on the URL to activate the flaw, so once again we are back into the Social Engineering aspect of attacking users computers, so until people like myself can get in and make a difference, this will continue.

pr.arun
pr.arun

The crux of the issue is that Microsoft blames the different array of third party software protocol handlers and says that the onus of validation is one the receiving application. IE here is the host application. However, it is IE that handles the execution. I think the solution is just that Microsoft or be it any application maker has to take into consideration the case of third party integration and design APIs with security features incorporated from that angle too. In this case it would involve creating a framework where validations can be easily incorporated as and when new applications use IE.

Tony Hopkinson
Tony Hopkinson

public, validation is the responsibility of the implementation of that routine. The assumption that the passed parameters are 'valid', is at best lazy.

Tony Hopkinson
Tony Hopkinson

Both in terms of performance and maintenance. There are a few ways round that, but if a sanitised parameter is expected by an API, this should be as a minimum clear in the call. LoadUpValidatedURL for instance. Given we try to do the job properly when allowed by management, sometimes we foolishly assume others do to. Writing APIs, components, reusable libraries requires you to consider the user interface, just because it's an other coder, doesn't mean issues can be ignored.

DenisDiderot
DenisDiderot

I, too, have more years of experience than is polite to claim in mixed company and I, too, have seen so many truly egregious errors that I always provide validation methods for incoming data, no matter what the source. However, there are often architectural and/or performance issues that require the validation methods be physically separate from the data processing methods. In such cases, the data processing API must be protected and it is up to the user (re-user) to invoke the appropriate API (i.e., to pass only sanitized date to the protected API). Objective examination will show that browser internals are such a case.

noorman
noorman

why not use Firefox with the IEtab plugin ? ( to be found on Mozilla's website ) A click switches you from FF to IE or back. It works; even M$'s own support website can't distinguish it from IE. It doesn't display its usual error message where they say you need to install IE ... LOL .

BruceLaBonte
BruceLaBonte

I agree with Tony. Over 35 years of programming at various levels and using various languages have taught me to validate EVERYTHING that I process in my program, whether it is a parameter list coming through an API or data read from a file.