Print this article | E-mail this article | Comment on this article

'Highly Critical' Flaw in Firefox 2.0

By BetaNews Staff, BetaNews

July 10, 2007, 11:32 AM

Security firm Secunia has issued an advisory regarding a newly discovered "highly critical" security flaw in Firefox 2.0 and later, which involves a special URI handler. Although the problem was initially attributed to Internet Explorer by researcher Thor Larholm, Firefox is the culprit.

According to Secunia, "Firefox registers the "firefoxurl://" URI handler and allows invoking Firefox with arbitrary command line arguments." This means that a malicious site visited in Internet Explorer could pass parameters using that URI handler that would be run automatically in Firefox, without any sort of validation. The firm suggests not visiting untrusted sites until the problem is resolved.

Add a Comment (35 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By gkar

posted Jul 12, 2007 - 6:52 AM

I patched my own system by using XPLite and uninstalled IE, and just to make sure, OE.

Score: 0

By ryanvm

posted Jul 11, 2007 - 1:04 PM

FWIW, the fix for this bug was checked into the Firefox codebase (trunk and branch) last night and Mozilla is going to be pushing up the release of version 2.0.0.5 to get this fix out to the public ASAP (though their wiki hasn't been updated to reflect that as of yet).

Score: 0

By ryanvm

posted Jul 11, 2007 - 2:50 PM

To reply to myself, it appears that they're targeting next Thursday for getting a final 2.0.0.5 build pushed out with this fix included.
http://wiki.mozilla.org/Firefox:2.0.0.5

Score: 0

By Aires

edited Jul 11, 2007 - 7:33 AM

I've read the story and read the replies and I think this sums it up pretty well - it's a Firefox issue, but it's a Windows flaw.

In addition it has to be said yohimbe9 makes a very interesting point.

Score: 0

By flake

posted Jul 11, 2007 - 10:30 PM

I'm interested in how this could be described as a windows flaw.

Are Operating Systems now expected to validate input for installed applications?

Score: 0

By Aires

posted Jul 19, 2007 - 7:33 AM

It's a flaw that can be fixed by the authors of the various installed applications - but yes it is a Windows flaw.

Score: 0

By nms04

posted Jul 11, 2007 - 1:01 AM

looool fortunately there weren't any reports like this one for opera :P

Score: 0

By robmanic44

posted Jul 10, 2007 - 10:24 PM

You want security? Turn your computer off. Blaming Windows for a Firefox flaw is a bit of a stretch. If that is true, they should put a disclaimer on the download site:"This browser is for Unix based systems only".

Score: 0

By Latz !

posted Jul 10, 2007 - 3:40 PM

This is a Windows flaw, not a Firefox flaw.

Score: 0

By phenomnaruto

posted Jul 10, 2007 - 6:09 PM

Although the problem was initially attributed to Internet Explorer by researcher Thor Larholm, Firefox is the culprit.

Score: 0

By Latz !

edited Jul 10, 2007 - 10:14 PM

How is it Firefox's fault that IE allows users to click a link and launch an external program? That is a really bad OS design. There are many other programs that can be launched the same way, they just haven't been exploited recently. Firefox on any other OS does not have this problem, and this only happens when using IE to launch Firefox.

Score: 0

By flake

posted Jul 11, 2007 - 10:34 PM

It's FF's fault because it installs a custom URI handler and then doesn't properly validate input in that handler.

An OS and certainly other applications can NOT be reasonably expected to validate inpute for installed applications.

Score: 0

By templar™

posted Jul 11, 2007 - 6:35 AM

Custom protocol is very useful in many scenarios. In this case, the onus is on FF to validate the arguments passed to it.

Score: 0

By asellus

posted Jul 11, 2007 - 12:20 AM

If Firefox is not present on the system, this flaw does not affect you. So yes, it is Firefox's fault.

Score: 0

By Latz !

edited Jul 11, 2007 - 8:16 PM

If you don't use IE or Windows this flaw does not affect you, whether you have Firefox or not.

Score: 0

By Scotch Moose

posted Jul 11, 2007 - 2:14 PM

As long a IE can launch executables with any load of garbage for a command line just because some web site told it to, more vulnerable programs will keep turning up.

If you have access to a command line you have control over the machine.

Score: 0

By sites.web.pt

posted Jul 10, 2007 - 3:29 PM

Hey you, yes you! Do you want security? Go to this address: www.opera.com/download/

BTW Firefox is a great browser!!!

Score: 0

By smarterthanyou

posted Jul 10, 2007 - 10:25 PM

According to Apple, Opera is the slowest at rendering any type of web page.

Score: 0

By Silentmaster101

posted Jul 11, 2007 - 7:52 AM

but also according to apple, if i dont have an ipod im going to hell.... so...

Score: 0

By Cold Hand

posted Jul 12, 2007 - 6:02 AM

LOL ! Totaly second that... And Apple should spend more time on Safari for Windows and less talking about other (great) Browsers...

Score: 0

By frankwick

posted Jul 10, 2007 - 3:05 PM

I'm assuming this is also valid in Minefield.

Score: 0

By Silentmaster101

posted Jul 11, 2007 - 7:51 AM

i love that game!

Score: 0

By zxo20000

posted Jul 10, 2007 - 2:48 PM

wow

Score: 0

By Scotch Moose

posted Jul 10, 2007 - 2:35 PM

The reason for this is that the FirefoxURL handler was added in Firefox 2.0.0.2 as part of a Vista compatibility change. Microsoft asked for it.

The lack of input validation is still a flaw in IE, even if Firefox could have registered their URL protocol handler with DDE instead.

I don't think we will see Firefox fixed to not accept command line arguments. And don't stay awake waiting for Microsoft to validate input before launching a URL handler. Your best bet is to remove the URL protocol handlers, that is if you must run Windows.

Really, who thinks launching executable programs with a browser based on the content of web page is a good idea? This is even worse than ActiveX.

Score: 0

By flake

posted Jul 11, 2007 - 10:38 PM

I really wonder how you people expect the OS or IE to properly validate input for 3rd party software. Just how are they supposed to know what to check for and what to throw out? The onus of input validation lies with the software that consumes the input.

Score: 0

By Scotch Moose

edited Jul 12, 2007 - 12:10 PM

When does a command line not come from a user that already has control of their PC?

When it comes from a web page viewed in IE.

Who ever designed that "feature" must have dain bramage.

Score: 0

By bourgeoisdude

posted Jul 10, 2007 - 2:54 PM

"Really, who thinks launching executable programs with a browser based on the content of web page is a good idea? This is even worse than ActiveX."

Sadley, Dell, HP, Norton, McAfee, Trend Micro, and countless other manufacturers use this technology for their driver reinstall discs/online virus scans/active updates/etc. It's tough to kill it because so many people are using it...

Score: 0

By zxo20000

posted Jul 10, 2007 - 2:49 PM

totally agree

Score: 0

By yohimbe9

posted Jul 10, 2007 - 12:48 PM

It starts to make you wonder about all of the other protocol handlers that are installed. A quick registry search in HKCL for "URL Protocol" found an Acrobat (acrobat://), Adobe Bridge (adobebridge), iTunes (daap://, itms://, itmss://, itpc://, pcast://) as well as several for WinAmp, Outlook and Real

Score: 0

By Frostek

posted Jul 10, 2007 - 12:36 PM

So far it's only confirmed on Windows...

Besides, it'll be fixed in a day or two, and the automatic updates will take care of that.

Score: 0

By Alex Stevens

edited Jul 10, 2007 - 12:23 PM

So even though this is a Firefox issue you have to be surfing unsafe sites with Internet Explorer for attackers to take advantage of it? In that case I think I'm in the clear then.

Score: 0

By billweh

edited Jul 10, 2007 - 12:14 PM

**sarcasm**
I can't believe they allow this kind of garbage on the market! How can they put something so obviously buggy out there and then not let people know about the gaping holes in it! They should pull Firefox from every PC on the planet until this is resolved! **/sarcasm**

Oh wait - I thought this was an article on IE. ;-)

Guess no one is safe anymore. :(

Score: 0

By flake

posted Jul 11, 2007 - 10:40 PM

Glad I'm not the only one thinking that. Cheers mate ;)

Score: 0

By Paul Skinner

posted Jul 10, 2007 - 11:43 AM

"The firm suggests not visiting untrusted sites until the problem is resolved."

After that, knock yourself out.

Score: 0

By PC_Tool

posted Jul 10, 2007 - 12:15 PM

*laughs*

Score: 0

Aug 29 - 3:02 PM ET Debian Live 5.0 Beta 1 released

Aug 29 - 2:33 PM ET 802.11r now a published IEEE standard

Aug 29 - 1:07 PM ET Rogers adjusts data plans for iPhone, BlackBerry Bold

Aug 29 - 12:51 PM ET Microsoft buys a shopping service for $486M, but will only keep part

Aug 29 - 12:21 PM ET Google extends its investment in Mozilla, restores MPL license

Aug 29 - 12:11 PM ET Dell's new low-end strategy for emerging markets includes Linux

Aug 29 - 11:43 AM ET Comcast to deploy 250 GB/month usage caps in October

Aug 28 - 6:20 PM ET Where does Barack Obama stand on technology issues?

Aug 28 - 4:48 PM ET Microsoft and Nikon ink deal around digital, perhaps wireless, cameras

Aug 28 - 4:21 PM ET WB network returns as Web site