PCWorks: "Highly critical" Vulnerability-Firefox "firefoxurl" URI Handler Registration

This is a pretty bad one with apparently no fix.  I checked
all 
the URL's I don't see any workaround where they mentioned: 
"Added workaround to the 'Solution' section."
-Clint


TITLE:
Firefox "firefoxurl" URI Handler Registration
Vulnerability

SECUNIA ADVISORY ID:
SA25984

VERIFY ADVISORY:
http://secunia.c
om/advisories/25984/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
>From remote

REVISION:
1.1 originally posted 2007-07-10

SOFTWARE:
Mozilla Firefox 2.0.x
http://secunia.com/
product/12434/

DESCRIPTION:
A vulnerability has been discovered in Firefox, which can
be
exploited by malicious people to compromise a user's
system.

The problem is that Firefox registers the
"firefoxurl://" URI 
handler
and allows invoking firefox with arbitrary command line 
arguments.
Using e.g. the "-chrome" parameter it is possible
to  execute
arbitrary Javascript in chrome context. This can be
exploited 
to
execute arbitrary commands e.g. when a user visits a
malicious 
web
site using Microsoft Internet Explorer.

The vulnerability is confirmed in Firefox version 2.0.0.4 on
a 
fully
patched Windows XP SP2. Other versions may also be
affected.

SOLUTION:
Do not browse untrusted sites.

Disable the "Firefox URL" URI handler.

CHANGELOG:
2007-07-10: Added workaround to the "Solution"
section.

ORIGINAL ADVISORY:
http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.ht
ml

http://larholm.com/2007/07/10/internet-explorer-0da
y-exploit/
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworksimagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================

Clint, have you tried the bug?

Open IE and put this into the address field
"firefoxurl://larholm.com", 
and it will execute the bug and use the CMD.exe to attempt
to open 
Firefox. It will launch Firefox and ask you an External
Protocol Request 
to handle the link where you click Launch application or
cancel. The 
firefoxurl://larholm.com takes you to the page of the
developer who 
discovered the bug, 
http://larholm.com/2007/07/10/internet-explorer-0da
y-exploit/

And all this in an attempt to handle Vista compatibility.

Peter Kaulback

Clint - OrpheusComputing.com & ComputersCustomBuilt.com
wrote:
> This is a pretty bad one with apparently no fix.  I
checked all 
> the URL's I don't see any workaround where they
mentioned: 
> "Added workaround to the 'Solution'
section."
> -Clint
> 
> 
> TITLE:
> Firefox "firefoxurl" URI Handler Registration
Vulnerability
> 
> SECUNIA ADVISORY ID:
> SA25984
> 
> VERIFY ADVISORY:
> http://secunia.c
om/advisories/25984/
> 
> CRITICAL:
> Highly critical
> 
> IMPACT:
> System access
> 
> WHERE:
>>From remote
> 
> REVISION:
> 1.1 originally posted 2007-07-10
> 
> SOFTWARE:
> Mozilla Firefox 2.0.x
> http://secunia.com/
product/12434/
> 
> DESCRIPTION:
> A vulnerability has been discovered in Firefox, which
can be
> exploited by malicious people to compromise a user's
system.
> 
> The problem is that Firefox registers the
"firefoxurl://" URI 
> handler
> and allows invoking firefox with arbitrary command line

> arguments.
> Using e.g. the "-chrome" parameter it is
possible to  execute
> arbitrary Javascript in chrome context. This can be
exploited 
> to
> execute arbitrary commands e.g. when a user visits a
malicious 
> web
> site using Microsoft Internet Explorer.
> 
> The vulnerability is confirmed in Firefox version
2.0.0.4 on a 
> fully
> patched Windows XP SP2. Other versions may also be
affected.
> 
> SOLUTION:
> Do not browse untrusted sites.
> 
> Disable the "Firefox URL" URI handler.
> 
> CHANGELOG:
> 2007-07-10: Added workaround to the
"Solution" section.
> 
> ORIGINAL ADVISORY:
> http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.ht
ml
> 
> http://larholm.com/2007/07/10/internet-explorer-0da
y-exploit/
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworksimagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================