Login   |   Secure Purdue > News

Firefox Used as an Attack Vector via URI Filtering Vulnerability

An interesting vulnerability in Mozilla Firefox has experts debating whether it is in fact a vulnerability in Firefox or a vulnerability in Microsoft Windows. One argument points at Mozilla because Firefox fails to filter input links before they are sent to the URI protocol handlers that are registered for them. The other side of the argument points at Microsoft, claiming the URI handling vulnerability is a Windows issue. Some specific examples of the URI handlers that are affected by this vulnerability include: "mailto", "news", "nntp", "telnet" and "snews". This vulnerability requires that Internet Explorer 7 is installed on the system. Exploitation is as simple as using Firefox to visit a malicious website with a specially crafted URI (such as "mailto") containing a "%" character and ends with a specific extension, such as ".bat" or ".cmd".

The simple solution for this is to not visit untrusted websites and do not click on untrusted links. A workaround is to activate a prompt in Firefox, which notifies the user of one of the specific URI handlers. Along with the notification, the user has the opportunity to cancel via the prompt. Activating the prompt in Firefox requires editing of the configuration page.

Based on the theory that this is a Windows vulnerability, the following OS versions, with IE 7 installed, are vulnerable:

Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

The vulnerability is said to only affect the Windows version of Firefox.

UPDATE:  Firefox has released version 2.0.0.6 that is supposed to address part of the URI filtering vulnerability.

References:

US-CERT
http://www.kb.cert.org/vuls/id/783400

Secunia
http://secunia.com/advisories/26201/

Heise Security
http://www.heise-security.co.uk/news/print/93470

Posted by Kitch Spicer on July 30, 2007, in Handlers Log.