Orange County Security SIG

Notes and comments of a Special Interest Group on computer security.

July 14, 2007



cross-browser attack

A CROSS BROWSER attack was found that would allow an attacker to take control of a computer surfing the Internet. It will allow sites to force a download onto your machine or to execute a program. It involves both Internet Explorer (IE) and Firefox (Ffx)

the requirements for this exploit to work

  1. IE version 7 must be installed
  2. Ffx version 2 must be installed
  3. Ffx's URLHANDLER registry entries must be installed
  4. the NOSCRIPT extension must not be installed
  5. the secutiry settings in IE must be medium or less
  6. a mal-formed URL must be called in IE
  7. no Ffx window can be open

what you can do to protect yourself

  1. Keep to IE version 6
  2. Keep to Ffx version 1.5 (see MISC NOTE #4)
  3. Install NOSCRIPT (see MISC NOTE #1)
  4. Remove the URLHANDLERS from the Registry (see below)
  5. Raise the security level for the Internet Zone to high

the questionable registry entries


how to remove urlhandlers

Enter the following commands at the command prompt:


IE details
IE7 allows something besides IE to be setup to handle all standard Internet calls. Before, IE was always used. Some registry entries need to be set.

Ffx details
For Vista compatibility, Ffx sets those Registry entries mentioned above but does so in a way that makes it vulnerable to a mal-formed URL that includes a double quote (").

Ffx itself checks to make sure a DOS command is not sent to it. But that check is bypassed if the command is sent by another browser that doesn't escape (or remove) the double quotes.

When an Internet-aware program calls a URL, Ffx is instanciated through the command line. If an instance of Ffx is already instanciated then DDE is used and the exploit doesn't work.

For illustration purposes I'll use a simplified version of the code that is called when a by the URLHANDLERS:

FIREFOX.EXE -option "%1" -option

If the URL (%1) has a double quote in it, Ffx would treat the rest of the URL was was an option (-option). Javascript could then be run with trusted priveleges. More details can be found on Thor Larholm's site. (see below)

miscellaneous notes

  1. NoScript has been immune to this for some time.
  2. Removing quotes is a security standard in web development.
  3. Checking the validity of data is a security standard.
  4. Ffx2 also has a weaker cookie control than previous versions.
  5. Any Inet-aware application could be at risk, not just IE.
  6. Any browser with URLHANDLERS could be at risk, not just Ffx.
  7. This attack does not exist in the wild yet.
  8. It does not work on the Portable App version of Ffx2
  9. A identical attack on "Safari for Windows" recently occured which Apple patched immediately
  10. Enough is Enough by Eric Howe raises the security level in IE

who is at fault?
Since Microsoft and Mozilla made mistakes here then they both share the blame. However, the attack author Thor Larholm and security researcher Bruce Schneider puts the blame squarely on Microsoft's shoulders. But security site Secunia puts the blame on Mozilla.

how the situation could have been avoided
IE should escape any double quotes.

Ffx should checked any incoming data and only allow valid data to come through.

From Microsoft
"Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."

From Mozilla
"Mozilla believes in defense in depth and will be patching Firefox in the upcoming release to mitigate the problem. This will prevent IE from sending Firefox malicious data."

websites to read
note: if the address wraps around the line, enter the whole URL as one word.

main researchers

Comments: Post a Comment

Links to this post:

Create a Link

<< Home

Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.

SECSIG meets in the Science building 203 at 11:15 am.

By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.

The RSS feed address is

Dave Keays, SIG leader

This page is powered by Blogger. Isn't yours?