July 14, 2007
A CROSS BROWSER attack was found that would allow an attacker to take control of a computer surfing the Internet. It will allow sites to force a download onto your machine or to execute a program. It involves both Internet Explorer (IE) and Firefox (Ffx)
the requirements for this exploit to work
- IE version 7 must be installed
- Ffx version 2 must be installed
- Ffx's URLHANDLER registry entries must be installed
- the NOSCRIPT extension must not be installed
- the secutiry settings in IE must be medium or less
- a mal-formed URL must be called in IE
- no Ffx window can be open
what you can do to protect yourself
- Keep to IE version 6
- Keep to Ffx version 1.5 (see MISC NOTE #4)
- Install NOSCRIPT (see MISC NOTE #1)
- Remove the URLHANDLERS from the Registry (see below)
- Raise the security level for the Internet Zone to high
the questionable registry entries
how to remove urlhandlers
Enter the following commands at the command prompt:
REG DELETE HKCR\FIREFOXHTML /F
REG DELETE HKCR\FIREFOXURL /F
REG DELETE HKCR\FIREFOX.URL /F
IE7 allows something besides IE to be setup to handle all standard Internet calls. Before, IE was always used. Some registry entries need to be set.
For Vista compatibility, Ffx 22.214.171.124 sets those Registry entries mentioned above but does so in a way that makes it vulnerable to a mal-formed URL that includes a double quote (").
Ffx itself checks to make sure a DOS command is not sent to it. But that check is bypassed if the command is sent by another browser that doesn't escape (or remove) the double quotes.
When an Internet-aware program calls a URL, Ffx is instanciated through the command line. If an instance of Ffx is already instanciated then DDE is used and the exploit doesn't work.
For illustration purposes I'll use a simplified version of the code that is called when a by the URLHANDLERS:
FIREFOX.EXE -option "%1" -option
- NoScript has been immune to this for some time.
- Removing quotes is a security standard in web development.
- Checking the validity of data is a security standard.
- Ffx2 also has a weaker cookie control than previous versions.
- Any Inet-aware application could be at risk, not just IE.
- Any browser with URLHANDLERS could be at risk, not just Ffx.
- This attack does not exist in the wild yet.
- It does not work on the Portable App version of Ffx2
- A identical attack on "Safari for Windows" recently occured which Apple patched immediately
- Enough is Enough by Eric Howe raises the security level in IE
who is at fault?
Since Microsoft and Mozilla made mistakes here then they both share the blame. However, the attack author Thor Larholm and security researcher Bruce Schneider puts the blame squarely on Microsoft's shoulders. But security site Secunia puts the blame on Mozilla.
how the situation could have been avoided
IE should escape any double quotes.
Ffx should checked any incoming data and only allow valid data to come through.
"Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."
"Mozilla believes in defense in depth and will be patching Firefox in the upcoming 126.96.36.199 release to mitigate the problem. This will prevent IE from sending Firefox malicious data."
websites to read
note: if the address wraps around the line, enter the whole URL as one word.
- Mozillas responce
- Active network
- Thor Larholm's theory
- Thor Larholm's proof of concept
- Thor Larholm
A hacker and web developer from Denmark who recently discovered a vulnerability with Safari on Windows (CVE-2007-3186) and in the extension FireBug (CVE-2007-1947)
- Billy Rios (aka BK)
- Nate Mcfeters
- Raghav Dube (aka "the pope")
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader