Jump to content
xisto Community
Sign in to follow this  
Saint_Michael

Interesting New Ie - Firefox Bug ( A Must Read Asap) FF 2.0.02 and up users need to know about this

Recommended Posts

Well it has finally happen and strangely enough I didn't really think about it until now, but it seems a security team found a very high level bug that requires both Internet Explorer 7 and Modzilla Fire Fox. This is the jist of the bug;

The root of the matter is a Firefox uniform resource identifier (URI) that allows Web sites to force Firefox to launch with the "firefoxurl://" URI, Secunia reported. The way in which the URI handler is registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when the "firefoxurl://" URI is activated.
Due to the implementation of the "chrome" parameter, it is possible to inject code that would be executed within Firefox, said Thomas Kristensen, CTO of Secunia.

"Running JavaScript in 'chrome' context within Firefox is essentially the same as executing arbitrary code and allows an attacker to take any actions on the local system with the same privileges as the active user," Kristensen explained. "Registering a URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application."

Improper use of URl handlers and parameters supplied via URls has historically caused problems for many vendors, including Microsoft, Apple, Mozilla, certain Linux projects, and Opera. But the blame in this case falls squarely on the shoulders of Firefox, Kristensen insisted. Mozilla has publicly announced it is working on a fix.


Interestingly enough though this bug affects everyone that has firefox 2.0.0.2 and up, and right now their is no patch for this bug due to the fact people are still blaming the other side of messing up and all that wonderful junk. So far no evil computer crime lords have used this exploit yet and the only recommendation they have right now is disable active scripting in the html and that is the only recommendation until the patch is release.

Like I mention the blame game was being passed around and of course Firefox group says it's not FF fault, even though the bug is coming from their browser, but another problem that arises is that this little tid bit of news was improperly disclosed. Which means the hackers and the crackers will have a field day about this untill the patch is release. I keep tabs on this and let people know when the patch is supposed to come out.


SOURCE

Here
Edited by Saint_Michael (see edit history)

Share this post


Link to post
Share on other sites

Ohhh snap. Thats a big one and seems easy to implement. So basically your saying its as easy as coding a firefoxurl:// link into javascript code and anyone who enables activrX controls could possibly be affected?Wait, so how do you turn off your active scripting. Disable java and javascript?

Share this post


Link to post
Share on other sites

Ohhh snap. Thats a big one and seems easy to implement. So basically your saying its as easy as coding a firefoxurl:// link into javascript code and anyone who enables activrX controls could possibly be affected?
Wait, so how do you turn off your active scripting. Disable java and javascript?


for your first question the answer is pretty much as for disabling active scripting I point you to a couple of sites:

IE

Here

As for Firefox disabling java and javascript would be the way to do it, also you can still keep them running just make sure your computer is up to date which includes firewalls, security updates the works.

Share this post


Link to post
Share on other sites

Firefox has just issued an update which appears to fix this and several other issues. From the Release Notes, here is what has been fixed in the Firefox 2.0.0.5 which automatically updated itself on my machine:

Fixed in Firefox 2.0.0.5

MFSA 2007-25 XPCNativeWrapper pollution

MFSA 2007-24 Unauthorized access to wyciwyg:// documents

MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer

MFSA 2007-22 File type confusion due to in name

MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document

MFSA 2007-20 Frame spoofing while window is loading

MFSA 2007-19 XSS using addEventListener and setTimeout

MFSA 2007-18 Crashes with evidence of memory corruption


I think the problem you discuss is identified in the above list as MFSA 2007-23.

 

In case you didn't receive the update, simply go to the Firefox Download site and the new version should be ready for download from there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.