An interesting vulnerability in Mozilla Firefox has experts debating whether it is in fact a vulnerability in Firefox or a vulnerability in Microsoft Windows. One argument points at Mozilla because Firefox fails to filter input links before they are sent to the URI protocol handlers that are registered for them. The other side of the argument points at Microsoft, claiming the URI handling vulnerability is a Windows issue. Some specific examples of the URI handlers that are affected by this vulnerability include: "mailto", "news", "nntp", "telnet" and "snews". This vulnerability requires that Internet Explorer 7 is installed on the system. Exploitation is as simple as using Firefox to visit a malicious website with a specially crafted URI (such as "mailto") containing a "%" character and ends with a specific extension, such as ".bat" or ".cmd".
The simple solution for this is to not visit untrusted websites and do not click on untrusted links. A workaround is to activate a prompt in Firefox, which notifies the user of one of the specific URI handlers. Along with the notification, the user has the opportunity to cancel via the prompt. Activating the prompt in Firefox requires editing of the configuration page.
Based on the theory that this is a Windows vulnerability, the following OS versions, with IE 7 installed, are vulnerable:
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
The vulnerability is said to only affect the Windows version of Firefox.
UPDATE: Firefox has released version 22.214.171.124 that is supposed to address part of the URI filtering vulnerability.
Posted by Kitch Spicer on July 30, 2007, in Handlers Log.