I patched my own system by using XPLite and uninstalled IE, and just to make sure, OE.

FWIW, the fix for this bug was checked into the Firefox codebase (trunk and branch) last night and Mozilla is going to be pushing up the release of version 2.0.0.5 to get this fix out to the public ASAP (though their wiki hasn't been updated to reflect that as of yet).

To reply to myself, it appears that they're targeting next Thursday for getting a final 2.0.0.5 build pushed out with this fix included.
http://wiki.mozilla.org/Firefox:2.0.0.5

I've read the story and read the replies and I think this sums it up pretty well - it's a Firefox issue, but it's a Windows flaw.

In addition it has to be said yohimbe9 makes a very interesting point.

I'm interested in how this could be described as a windows flaw.

Are Operating Systems now expected to validate input for installed applications?

It's a flaw that can be fixed by the authors of the various installed applications - but yes it is a Windows flaw.

looool fortunately there weren't any reports like this one for opera :P

You want security? Turn your computer off. Blaming Windows for a Firefox flaw is a bit of a stretch. If that is true, they should put a disclaimer on the download site:"This browser is for Unix based systems only".

This is a Windows flaw, not a Firefox flaw.

Although the problem was initially attributed to Internet Explorer by researcher Thor Larholm, Firefox is the culprit.

How is it Firefox's fault that IE allows users to click a link and launch an external program? That is a really bad OS design. There are many other programs that can be launched the same way, they just haven't been exploited recently. Firefox on any other OS does not have this problem, and this only happens when using IE to launch Firefox.

If Firefox is not present on the system, this flaw does not affect you. So yes, it is Firefox's fault.

Custom protocol is very useful in many scenarios. In this case, the onus is on FF to validate the arguments passed to it.

As long a IE can launch executables with any load of garbage for a command line just because some web site told it to, more vulnerable programs will keep turning up.

If you have access to a command line you have control over the machine.

If you don't use IE or Windows this flaw does not affect you, whether you have Firefox or not.

It's FF's fault because it installs a custom URI handler and then doesn't properly validate input in that handler.

An OS and certainly other applications can NOT be reasonably expected to validate inpute for installed applications.

Hey you, yes you! Do you want security? Go to this address: www.opera.com/download/

BTW Firefox is a great browser!!!

According to Apple, Opera is the slowest at rendering any type of web page.

but also according to apple, if i dont have an ipod im going to hell.... so...

LOL ! Totaly second that... And Apple should spend more time on Safari for Windows and less talking about other (great) Browsers...

I'm assuming this is also valid in Minefield.

i love that game!

wow

The reason for this is that the FirefoxURL handler was added in Firefox 2.0.0.2 as part of a Vista compatibility change. Microsoft asked for it.

The lack of input validation is still a flaw in IE, even if Firefox could have registered their URL protocol handler with DDE instead.

I don't think we will see Firefox fixed to not accept command line arguments. And don't stay awake waiting for Microsoft to validate input before launching a URL handler. Your best bet is to remove the URL protocol handlers, that is if you must run Windows.

Really, who thinks launching executable programs with a browser based on the content of web page is a good idea? This is even worse than ActiveX.

totally agree

"Really, who thinks launching executable programs with a browser based on the content of web page is a good idea? This is even worse than ActiveX."

Sadley, Dell, HP, Norton, McAfee, Trend Micro, and countless other manufacturers use this technology for their driver reinstall discs/online virus scans/active updates/etc. It's tough to kill it because so many people are using it...

I really wonder how you people expect the OS or IE to properly validate input for 3rd party software. Just how are they supposed to know what to check for and what to throw out? The onus of input validation lies with the software that consumes the input.

When does a command line not come from a user that already has control of their PC?

When it comes from a web page viewed in IE.

Who ever designed that "feature" must have dain bramage.

It starts to make you wonder about all of the other protocol handlers that are installed. A quick registry search in HKCL for "URL Protocol" found an Acrobat (acrobat://), Adobe Bridge (adobebridge), iTunes (daap://, itms://, itmss://, itpc://, pcast://) as well as several for WinAmp, Outlook and Real

So far it's only confirmed on Windows...

Besides, it'll be fixed in a day or two, and the automatic updates will take care of that.

So even though this is a Firefox issue you have to be surfing unsafe sites with Internet Explorer for attackers to take advantage of it? In that case I think I'm in the clear then.

**sarcasm**
I can't believe they allow this kind of garbage on the market! How can they put something so obviously buggy out there and then not let people know about the gaping holes in it! They should pull Firefox from every PC on the planet until this is resolved! **/sarcasm**

Oh wait - I thought this was an article on IE. ;-)

Guess no one is safe anymore. :(

Glad I'm not the only one thinking that. Cheers mate ;)

"The firm suggests not visiting untrusted sites until the problem is resolved."

After that, knock yourself out.

*laughs*