Mozilla released a new version of its Firefox Web browser Monday which includes fixes for two vulnerabilities disclosed by Secunia, an Internet security firm, earlier this month. The two flaws, which involved conflicts with Microsoft’s Internet Explorer (IE), kicked off a round of finger pointing as both companies claimed the problem lay with the code of the competing browser.
“We’ve just released Firefox 2.0.0.6 which contains a security patch … The patch enables percent-encoding for spaces and double-quotes in URIs (uniform resource identifiers) handed off to external programs,” Window Synder, head of Mozilla’s security strategy, posted on the Mozilla Security blog. “This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior.”
The updated version of Firefox follows on the heels of an earlier fix for the URL (uniform resource locator) protocol handling vulnerability Mozilla issued on July 18.
A Twofer
The cross-browser security flaw, classified by Secunia as highly critical, can be exploited to execute arbitrary commands when users visit a malicious Web site using Microsoft’s IE 7 Web browser. The vulnerability was found in Firefox version 2.0.0.4 on full patched systems running Windows XP SP2 (service pack 2), although other versions may also be affected, the security firm said.
The problem from the Mozilla end of this equation, according to Secunia, is that the Firefox browser registers the “firefoxurl://” URI (uniform resource identifiers) handler and allows invoking Firefox with arbitrary command line argument.
At the same time, on the Microsoft side, according to security researchers, the IE 7 the flaw is the result of an input validation error within the handling of system default URIs with registered URI handlers (e.g. “mailto,” “new,” “nntp,” “snews” and “telnet.” The vulnerability can be exploited to execute arbitrary commands when users visit malicious Web sites using the Firefox browser that contain a specially crafted “mailto” URI containing a “percent” character and ends in a certain extension such as .bat or .cmd.
The URI is a string of characters used to identify a location, resource or protocol. Firefox relies upon the Windows operating system to determine the appropriate protocol handler for certain URIs it does not handle internally, the United States Computer Emergency Readiness Team (US-CERT) noted in a Vulnerability Note.
The Mozilla browser does not filter data passed to certain URI protocol handlers, and that allows it to be used as an attack vector for vulnerabilities in other applications, US-CERT continued.
Changing the Game
Microsoft Windows parses a URI to determine the appropriate application registered to handle that particular protocol. With IE 7, Microsoft changed how Windows parses URIs and lead to a flaw that could lead the OS to incorrectly determine the appropriate handler for the protocol specified in a URI, researchers concluded.
For example, a “safe” protocol such as mailto:may be incorrectly handled with an “unsafe” application such as the Windows command interpreter. That can lead to an unexpected execution of arbitrary commands, US-CERT researchers found.
“This OS and IE7 are a standard image on most machines,” Ron O’Brien, senior security analyst at Sophos, told LinuxInsider. “The solution proposed by Secunia was ‘Do not browse untrusted Web sites or follow untrusted links.’ This is obviously easier said than done. SophosLabs is blocking 29,000 new Web pages per day that are hosting malicious content.”
The second, far less critical bug deals with add-ons that create “about:blank” windows. The flaw could enable privilege escalation attacks against the “about:blank” add-ons and populate them in “certain ways,” including implicit “about:blank” document creation through data: or javascript: URLs in a new window, according to a Mozilla security advisory.
A Perfect Storm
While Mozilla initially blamed Microsoft for the double whammy flaw, Microsoft vehemently denied any problems and pointed the finger at the open source browser. Microsoft has not released a patch related to the conflict. However, both browsers are to blame, according to security experts.
Last week, Mozilla’s Snyder issued a mea culpa in a blog post in which she wrote that whereas before she had believed IE7 was the entry point and Firefox the application receiving the bad data, her team had identified ways Firefox could also be used as the entry point to send bad data to another application.
Mozilla’s decision to release a new version of its browser instead of a simple patch is a sign of the company’s desire to make sure that people download the fixes, Frost & Sullivan analyst Chris Rodriguez told LinuxInsider.
“They are doing that to make sure that it is something people do because it is a critical vulnerability,” he said. “It falls on both Microsoft and Mozilla, half and half. It’s good to see Mozilla’s taking care of it.
“By releasing this patch Mozilla really is trying to take care of security and protect their users. It’s a very responsible measure, instead of playing the blame game,” he continued.
“It’s interesting that this is one of the few vulnerabilities we’ve seen that relies on products from two separate parties,” Rob Ayoub, another Frost & Sullivan analyst, told LinuxInsider. “It highlights the difficulty in solving vulnerability problems that rely on two parties.”
Patch the Hole
Any time an operating system developer or application developer issues a security patch, users should take the release seriously, O’Brien recommended.
“The evidence regarding the number of machines running outdated version of software is evident by the percentage of malware that relies on unpatched operating systems in order to be effective,” he explained. “Installing and maintaining an effective antivirus software is only half the task.
“The other half involves updating and maintaining the operating system software as well as the application you have added to the desktop,” O’Brien continued. “Patches are intended to prevent the exploit of known vulnerabilities. Protecting against known threats should be common sense.”