Internet Explorer used to trigger Firefox exploit

Stephen Withers
Thursday, 12 July 2007 04:01

Your IT - Home IT

A vulnerability in Firefox can be exploited by presenting Internet Explorer with a particular type of malicious link.

Reported by Secunia, the issue revolves around the firefoxurl:// URI handler that instructs the system to open the specified URL in Firefox. This handler is added to the system alongside Firefox.

Unfortunately, Firefox does not check the sanity of the link it is passed, and it will execute JavaScript. Internet Explorer doesn't check a link before it is passed to a handler, so this has the potential to allow remote system access.

So who is at fault? Opinions vary. Some blame Microsoft for failing to escape any quotes before passing the string to the handler, others argue that Firefox should validate the string it receives. Those who favour a belt and braces approach point the finger at both companies.

A precedent has been set by Apple, which took it upon itself to fix a similar issue involving Safari and Firefox.

We feel there's a parallel with antivirus software: you run AV not just to protect against incoming infected files, but also to reduce the risk of sending an infected file to someone else. Similarly, the primary responsibility to check a link (or any other data) must rest with the receiving program, but the sender should be a good citizen and test for any well-known tricks. This is especially true where the sending program didn't generate the data but is merely forwarding it from another source.

Firefox itself is not vulnerable to a direct attack using firefoxurl:// links.

Mozilla has announced that Firefox 2.0.0.5 (scheduled for release on July 19) will check for potentially malicious data, but warns that "Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time."