Print this article | E-mail this article | Comment on this article

Mozilla Fixes Firefox Protocol Handling

By Scott M. Fulton, III, BetaNews

July 31, 2007, 2:10 PM

This morning, Firefox 2.0 users were automatically notified of the availability of version 2.0.0.6, with the promise that this time around, a critical vulnerability concerning how the browser tries to parse malformed resource identifiers, is fixed for good.

In its security advisory this morning, Mozilla credited Windows security expert Jesper Johansson for articulating the original problem, which has hopefully led to this final solution.

"Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling," the advisory reads, "which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 2.0.0.4 and older could be used to run arbitrary script."

While Mozilla's admission was arguably gracious and sincere, there's a rational debate in the developer community over whether the real problem was caused by either major brand of Web browser -- Firefox or Internet Explorer -- or rather by the underlying Windows operating system which passes on the malformed argument in the first place.

Yesterday, the US-CERT bureau of the Dept. of Homeland Security indicated that Microsoft's handling of the ShellExecute() API function, which was changed in systems where IE7 is installed, may be the true culprit. The implication there is that a danger may continue to exist so long as that critical function can pass non-standard parameters to programs it's trying to launch, such as Web browsers.

The advisory then credits VeriSign security consultants Billy Rios and Nate McFeders for discovering that, when Firefox received a ShellExecute() call to the mailto:// URI identifier that included an officially disallowed null (%00) parameter, rather than launch the default mail client, Firefox would launch whatever application was responsible for the filename extension at the end of the URI.

Starting with version 2.0.0.6, Firefox will no longer launch external protocol handler applications without first asking the user. In the event that the site placing the external launch call isn't trusted, it won't launch any programs at all.

The exception is for the mailto:// protocol, where Firefox will launch the preferred mail client without asking the user. The advisory gives users a workaround, which involves editing the program's about:config page, for having Firefox ask the user before launching the mail client.

Add a Comment (8 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By dhjdhj

posted Aug 1, 2007 - 10:03 AM

Or at least until it breaks again!
---> is fixed for good

Score: 0

By sturgess

posted Aug 1, 2007 - 6:33 AM

This browser requires patches on a daily basis,I wonder could this be a sign.Yes friends, Opera is the way to go.

Score: 0

By 86proof

edited Aug 1, 2007 - 10:58 AM

Oh for crying out loud...so it gets patched daily - at no cost to you...

Deal with it!

If you don't like something then don't use it.

Don't even get me started on Opera...its java implementation sucks and it doesnt have as many options/plugins as most other popular browsers (see, do not like it when people bash your favorite product do ya?). That being said, Opera is pretty zippy due to its small size and lack of plugins - right now its off most exploiters radar due to its minimal popularity.

Score: 0

By megaplushie

edited Aug 1, 2007 - 10:31 AM

I'm cool with Firefox being updated on a regular basis. At least Mozilla recognizes these problems and fixes them fairly quicky, even if it does mean having to update twice in two weeks.

Anyways, I won't switch browsers just because it "requires patches on a daily basis."