Mozilla/Firefox Bug Allows Arbitrary Program Execution

treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.

A clear advantage

[SIGALRM]

The Mozilla Foundation has confirmed the problem and issued a fix

This incident underscores why many use or have switched to Firefox: vulnerabilities discovered and promptly fixed. Not weeks and months from their publication--and not by another vendor--this exploit was addressed by those who have made available Mozilla's code for public scrutiny.

FYI, in case you didn't read the article, you can download the fix here [mozilla.org].

Re:A clear advantage

[hackstraw]

Yeah, they "fixed" it timely. But WHY THE HELL IS THERE A shell: SCHEME IN THE BROWSER IN THE FIRST PLACE? I've never heard of it, never needed it, and obviously there are issues with it.

Come on we blast M$ for putting vbscripting and whatnot in IE, but this is just as dumb.

It's not "in" the browser

[Anonymous Coward]

Mozilla hands off schemes it doesn't know to the operating system (Windows), and WINDOWS executes the shell scheme. It was obviously a security flaw in their eyes, too, as they fixed it in XP SP2. If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem.

Bad way

[phorm]

Which is basically to say:

IE bad because it is integrated into the OS
Moz bad because it calls the OS because it's not integrated

Both are bad. In fact, this is quite bad for Moz, as one of the touted improvements is that not being OS-integrated avoids such issues.

Basically, you're passing on data from the windows URI handler... so it's almost like importing a windows IE/Web insecurity into Moz. Perhaps if Moz just imported the windows URI handlers as a datafile, and stripped out known baddies?

Re:Bad way

[KevinKnSC]

Basically, you're passing on data from the windows URI handler... so it's almost like importing a windows IE/Web insecurity into Moz. Perhaps if Moz just imported the windows URI handlers as a datafile, and stripped out known baddies?

Relying on stripping out "known baddies" means that what you're really relying on is your list of known baddies. Any new baddie is, by definition, not on that list. Stripping them out is a start (web pages don't need access to shell://), but it's not a complete solution.

Re:Bad way

[phorm]

Well, the alternative to that would probably be to either not allow any that aren't known good (hey, how come this dumb browser won't open file X!), or allow all or all that aren't known bad but with a warning beforehand. Unfortunately, hoards of spyware/virus infested machines show up how well users pay attention to warnings/disclaimers/etc

Re:Bad way

[dolphinling]

From the article:

The developers considered changing from scheme blacklisting to whitelisting, in which case all schemes and protocols would be disallowed unless explicitly allowed.

Mozilla Foundation spokesmen said a future version of the browsers will change to whitelisting, but the interim fix just disables the shell protocol. Several other schemes, such as vbscript, are already disabled by default.

So in other words, this fix only changes a pref which is easy to do without a huge download, etc. and is easy for the clueless, since it requires one click. Future versions will have a fix for the problem in general, rather than just this specific case.

Re:Bad way

[jrumney]

If I go to the download page I see a reference to 0.9.2 but no release notes telling me that there's a security problem.

0.9.1 was the same. The release notes were unchanged since 0.9 and there was just a note saying "minor bugfixes" in one place, and another note saying "critical update" somewhere else. Firefox is a great product, but they really need to do something about keeping users informed about their releases. We can't all be expected to browse through Bugzilla to see what has changed between releases.

Re:Bad way

[ttldkns]

so it's almost like importing a windows IE/Web insecurity into Moz.

It is in fact an IE insecurity too as i just tested it with internet explorer and windows 2000 at this link: http://www.mccanless.us/mozilla/mozilla_bugs.htm [mccanless.us]

so it is infact an OS vunerability and not browser specific. Infact, we have a patch and IE doesnt. That makes me feel good :)

Re:Bad way

[antiMStroll]

" Which is basically to say:..

Not at all. Mozilla falls down by trusting the multiple OSs it supports to securely handle something it doesn't understand. You did notice the part of the story that specifies this as a Mozilla/XP/2K exploit, right? No problem in Linux or *Bsd, etc., so I don't know how this OS intregration angle is relevant at all.

Re:Bad way

[beeblebrox87]

Firefox is designed for Linux AND Windows. It has been the goal of the project to provide equivalent levels of support for both systems since it was called Phoenix.

IMHO, they should worry more about security with the Linux version than the Windows one, as anybody using Windows has pretty clearly shown that they don't care much about security anyway.

Re:Serendipity! Vindication in under one day!

[Planesdragon]

You DO realize that there have been some rather high-profile bugs, malware, exploits, and viruses for Linux (and even BSD), don't you?

And you also realize that, if Gecko had only been put in Free Computing systems, it would have essentially rotted away to nothingness years ago.

Of course, you're also completely ignoring the amazing PR spin Mozilla is for Open Source. Sure, it has a bugs and holes--but those bugs are publicly filed, honestly reported, and fixed in a VERY timely fashion.

(Then again, you're comparing Free Computing and pregnancy.)

Re:Serendipity! Vindication in under one day!

[FireFury03]

Of course, you're also completely ignoring the amazing PR spin Mozilla is for Open Source. Sure, it has a bugs and holes--but those bugs are publicly filed, honestly reported, and fixed in a VERY timely fashion.

I really hope that if the mainstream media does stories on this they will make it clear that:
1. This is not a problem with the browser, it is a problem with the OS
2. The problem with the OS was alegedly fixed by a previous MS patch... except it wasn't - MS obviously don't test their patches.
3. Even though it was not Mozilla's own problem they still jumped and fixed it within a day of the report.
4. Microsoft knew about the latest IE hole 10 months before it was exploited and still did nothing about it.

Re:Serendipity! Vindication in under one day!

[Epi-man]

Either go all the way to changing the OS AND the browser, do the right thing, all the way,or don't bother, it's naieve wishful thinking and at best a finger in the dike stopgap measure to try and make windows "secure" on the internet, and at best an incredible waste of time and resources in the OPEN source coding community.

I totally disagree with you. As a user that is stuck on an XP platform because where I work I have no say (and I am far from alone here!), I am absolutely overjoyed that the coding community "wastes" its time and resources to allow me to use my home browser at work. Last time I checked, the community was not out to "make windows 'secure'," but was instead out to make good software for people to use freely. Granted, I am probably starting another flamewar here (which free, blablabla), but I think you need to leave it to the people doing the coding to decide how to spend their time and energy and not foist alternate agendas upon them.

Re:It's not "in" the browser

[Switchback]

Agreed. It's not really a bug in the browser, it's a flaw in Windows.

Windows has a bunch of protocol handlers registered. Mozilla knows how to handle a few (e.g. http, ftp, etc.). Whenever it encounters a protocol it doens't know what to do with, it sees if Windows knows how to handle it. Windows either handles it in some way or it doesn't. If it doesn't, Mozilla puts up a message saying "xyz is not a registered protocol." Mozilla has no way of knowing that anything is bad or dangerous.

The real bug is in Windows. The only real options the Mozilla developers have is to black/white list known dangerous protocols or simply don't allow protocols Mozilla itself doesn't handle. Neither are optimal. If you can't trust the OS you're on, you really limit yourself, bugs or not.

So we banish the "shell" protocol today. Who's to say Windows won't have another flaw in another protocol tomorrow?

This really isn't any different than plugins, which are in a sense, external protocol handlers. i.e. they know how to handle certain content...just like a protocol handler. What if there is an exploit in a plugin? Mozilla just starts the plugin with the listed parameters and lets it go. Are you going to blame Mozilla for allowing the plugin to run, or are you going to require that Mozilla not allow "known, dangerous plugins" to run?

Re:This is a Mozilla problem

[scenic]

Mozilla doesn't do what you described... it doesn't hand off any executable to the OS.

Your analogy isn't quite right... let's think about this another way... you have a plugin you've installed that has a security flaw in it. Is Mozilla (or IE or any other browser) responsible for the security flaw?

The registration of external protocol handlers is common practice across different platforms and browsers. I use OS X primarily at work and at home. I also run Linux here and have a Windows laptop at work. All three platforms use external protocol handlers to register helper applications.

The part that I think is significant is that the OS registered a protocol handler that isn't safe in an internet context. So, you either blame the browser for doing what the OS manufacturer recommends you do... or you blame the fool who wrote the insecure protocol handler (and why the hell would you want a "run any program" protocol handler????)

Sujal

Re:This is a Mozilla problem

[hackstraw]

let's think about this another way... you have a plugin you've installed that has a security flaw in it. Is Mozilla (or IE or any other browser) responsible for the security flaw?

Look though my comment history and see what I think of plugins. (hint, they suck)

Yes, this is a mozilla problem. Here is the deal. When you develop an application where anyone in the world has input to that program you check the input for valid data and reject anything that is not valid. Period.

A uri handler called shell:// is stupid. Thats as if your leaving an open rsh or ssh port with no password. Again, this is the first time I've heard of such a handler, and I don't know exactly what it does or is supposed to do but the fact that its called shell tells me that its not something that belongs on an internet application. Name me one more network application that would accept arbitrary commands without a password to be run on a computer. Just one.

Re:This is a Mozilla problem

[scenic]

right, but how does mozilla know that a particular URL is not valid? So, "shell:" seems obvious to you, but it wasn't registered by Mozilla. Windows has a handler called shell. Mozilla is simply doing what the OS provider says to do... hand off unknown protocols to the local system to see if you have helper applications (for example, telnet:// or ssh://).

We agree about the stupidity of a shell:// handler... but Mozilla didn't provide it. I'm not sure what "valid data" they should be checking for here... the only thing I see at this point is that they need to start maintaining a black list of protocol schemes... Of course, if a particular bit of spyware/adware becomes popular, for example, they'll just be chasing down changing schemes.

Sujal

Re:It's not "in" the browser

[Switchback]

Yes, blame Microsoft. If you RTFA, you'd notice that Microsoft themselves fixed this bug in the next XP service pack (which won't be released for several more months...)

Mozilla's quickfix was to just turn the protocol off. The Mozilla developer's shouldn't be babysitting the Windows OS. It's an operating system protocol handler, just like any other registered helper app. What do you recommend happen if Flash has an exploit? Have Mozilla not load the flash plugin? No, it's a bug in Flash and we expect Macromedia to fix it. This is not any different. But in the mean time, since this shell handler is not really used, the quick fix is to simply ignore the shell protocol (i.e. don't hand it off to the OS).

The other fix is to dig into the registry and turn off the shell handler yourself.

Re:It's not "in" the browser

[Switchback]

This shell extension could do just as much harm when running under a root Linux account (and there are plenty of those out there!)

Linux and Mac do not have such as thing to handle the "shell" protocol, thus it's not possible for them to have this flaw. Windows (in fact just 2000 and XP) are the only OSes that are vulnerable. Why? Because Microsoft wrote a dangerous handler that's not secure. If it was secure, no one would be talking about this right now. That fact that Microsoft themselves have fixed this bug in the next XP service pack doesn't tell you it's an MS bug?

Umm, that other protocol most likely won't have the ability to natively execute arbitrary strings passed to it! Maybe you're not understanding the difference between a native operating system shell handler and a text or image protocol handler.

I certainly understand it. It appears, however, that you do not. Mozilla is not arbitrarily launching a shell process merely because someone had a "shell:..." URI. It's asking the OS if it has an application that handles this protocol. Windows says yes and tells it how to launch the program. It passes the parameters to the application (just like any other helper app or plugin) and it's this application's responsiblility to check parameters. How is this any different than, say, registering my XYZ program to handle the "xyz" protocol and the XYZ application has a flaw that is exploitable?

Mozilla itself doesn't know one handler from another, and it shouldn't care. The system says "this application handles this protocol/content", so Mozilla hands it off.

Re:It's not "in" the browser

[dekeji]

Mozilla hands off schemes it doesn't know to the operating system (Windows), and WINDOWS executes the shell scheme

The question remains: why does Mozilla "hand off" stuff from the Internet to the operating system? It obviously can't determine that doing so is safe, so it shouldn't do it.

If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem.

Oh, nonsense. Mozilla doesn't run with "real restricted user accounts" on UNIX/Linux either. The responsibility of deciding what is trusted and what is safe to "hand off" to the OS rests firmly with applications on most modern operating systems; every application programmer should know that, and it is not hard to program accordingly.

Re:A clear advantage

[Anonymous Coward]

Well, if you're going to brag about standards support, you need to support standards. Including the stupid ones.

Re:A clear advantage

[Anonymous Coward]

This incident underscores why many use or have switched to Firefox: vulnerabilities discovered and promptly fixed. Not weeks and months from their publication

Yeah, it was years before it was addressed. If you read the Bugzilla report, it was first opened in 2002. This is not a good example of "open software fixes things faster".

Re:A clear advantage

[SIGALRM]

it was years before it was addressed

Not really. The bug history began immediately afterward and for quite some time it was moved between FIX and WONTFIX but received a lot of attention. Here are some of the comments from the bug report at http://bugzilla.mozilla.org/show_bug.cgi?id=167475 :

------- Additional Comment #2 From Jesse Ruderman 2002-09-11 16:58 PDT [reply] -------
It's not hard for a malicious site to get a visitor to click a link. Requiring
a click or an equivalent keyboard action can be useful for limiting how much a
web site can annoy you (pop-up windows, etc.) but I don't think it's useful for
larger security issues.

------- Additional Comment #3 From Daniel Veditz 2002-09-11 17:25 PDT [reply] -------
I agree, WONTFIX. Other bugs are already discussing blocking external protocol
handlers, we don't need to do additional work to base the decision on context.

------- Additional Comment #5 From Daniel Veditz 2002-09-12 11:35 PDT [reply] -------
re-opening for reconsideration. This doesn't solve the problem of untrusted
protocols, but even for trusted ones it doesn't make much sense in these kinds
of places.

Re:A clear advantage

[shellbeach]

Not really. The bug history began immediately afterward and for quite some time it was moved between FIX and WONTFIX but received a lot of attention.

However much developer attention it received (and actually it wasn't much - see my comments below), it doesn't change the fact that this exploit was present for almost two years ... and a fix was only released when the bug received wider internet attention.

The speed with which a fix was issued after the general public was made aware of the problem was good ... but the previous activity over the bug (imagine setting the status to WONTFIX for this!!??) smacks of Microsoft-style negligence/lack-of-concern.

The specific comments you cite are indicative of this lack of concern- Comment #2 basically claims that it's not worth fixing security issues that are initiated without any form of user intervention whatsoever. And why? because it's easy enough to get a luser to click on a malicious link, so why should we worry about sites that just bypass the malicious click?? I don't know about everyone else here, but that sort of logic concerns me!

Just looking at the amount of interest in this bug after 2002 (only brief two comments in 2003 and another two in 2004; no patches submitted or even thought about) seems to suggest that if this had not been reported by the internet media this would never have been fixed. Or at least, not until exploits of it became commonplace.

And with the recent internet-banking trojans using a similar exploit (i.e. download and run malicious code without any user prompting) in IE, the issue seems serious enough to me to have warranted a quicker fix.

Re:A clear advantage

[shaitand]

The debate on whether or not to do something about it was because it's the uri handler in the OS which is insecure, not mozilla.

This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows... which is why this only affects Mozilla on windows.

Re:A clear advantage

[shellbeach]

This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows...

Well, regardless of the cause of the problem, if there's an exploitable hole it's still a security issue. Yes, it wasn't caused by some bad coding in Mozilla, but from reading the bug description and comments the exploit comes through HTML that has little or no valid use in legitimate, friendly web pages. (Hence it was possible for Mozilla to quickly release an all-blocking fix once it became publicised - disabling this funcitonality is not going to inconvenience anyone)

In that situation, it still seems negligent to me when you're failing to fix an exploitable hole once it's come to your attention and when there's no disadvantage to doing so.

As a very small-scale open-source developer myself, I feel that despite the GPL clauses about no warranty there's still something of a moral duty of care and trust in situations like this. Two years of being aware of this issue and doing little or nothing about it seems a bit worrying, IMO.

Re:A clear advantage

[johkir]

Another big difference between the two is the fact that Mozilla even uses a publicly available bug list - Bugzilla. Theoreticaly, we all have a list of potential exploits at our finger tips. Could you imagine a list like that for IE? Maybe that's just what they need.

Re:A clear advantage

[mingot]

Could you imagine a list like that for IE?

Will probably end up happening soon. Open online bug tracking has already started for some of their products.

Re:A clear advantage

[TheDormouse]

Actually, important security bugs are not revealed to the public. They are only available to a handful of trusted developers. For some reason, they decided to "unhide" this bug after the fix was checked in for some reason.

Heretic, YOU MUST BURN!

[Saeed al-Sahaf]

Heretic, YOU MUST BURN!

Re:A clear advantage

[shaitand]

Actually this is a blotch on MS too, not Mozilla. The browser just passes unknown URI's to the OS and the OS handles them however it handles them. In this case the WINDOWS shell uri handler is insecure, creating what appears to be a bug in mozilla.

Re:A clear advantage

[Anonymous Coward]

Uh. This was a Windows-specific bug caused by the underlying OS. It's not a bug in Mozilla's code.

When you're writing cross platform code, and it that works perfectly fine on other platforms, and Microsoft keeps saying it's going to fix the bug, but stumbles around like a drunken barfly instead of releasing a fix... this is Mozilla's fault?

Microsoft says "Yeah, we're aware of that, we're going to fix it in SP2, it should be out Real Soon Now." and Mozilla takes them at their word, since it's their OS, and all applications on their OS are vulnerable to the bug, so it's in their best interest to get a fix out - and quick. Yet here's an OS bug that's been around since 2002 that Microsoft has made 0 public progress on.

And this is Mozilla's fault. For not making a hack to close an OS bug that the OS manufacturer should patch in a reasonably timely fashion. Yet doesn't. Yes, I agree, Mozilla is horrible, and Bill Gates is a saint. Yes.

BTW, could I have some of the pills you're taking? They sound wonderful.

Re:A clear advantage

[Anonymous Coward]

The bug listed in the summary is about a general issue - no actual exploit was known. When an exploit was made known YESTERDAY, bug 250180 was filed, and fixed within 24hrs.

Go to the source for better info!!!

http://www.mozilla.org/security/shell.html

Re:A clear advantage

[jCaT]

The bug listed in the summary is about a general issue - no actual exploit was known. When an exploit was made known YESTERDAY, bug 250180 was filed, and fixed within 24hrs.

The longer known bugs are out there (and hell, even documented) the more time there is for someone to go out and actually write the exploit. Of course there won't be any exploits available when the bug is first found- unless the person who found the bug is the one who wrote the exploit (a rare case). I doubt in 2002 there was enough attention directed at mozilla to warrant a speedy bugfix, but since so many people are using it now it's under a lot more scrutiny. Now that mozilla is on the "radar" of crackers and other ne'er do wells out there, the exploits of known-but-not-fixed critical bugs are likely to start showing up more often.

Re:A clear advantage

[mldl]

Actually http://bugzilla.mozilla.org/show_bug.cgi?id=250180 is the first mention of the shell: bug. Bug 167475 is a catch all deciding whether or not Mozilla/Firefox should hand off unknown protocols. If it used a whitelist of known protocols as some people suggest then it would break a lot of things relied upon over various platforms.

The specific shell: bug was reported only Wednesday morning which gives us a total time of less than 48 hours.

Re:A clear advantage

[TRACK-YOUR-POSITION]

Well, this is the bug you should probably be looking at: http://bugzilla.mozilla.org/show_bug.cgi?id=163648

One of the comments explains why this "bug" is so long in being "fixed"--it was suggested that a dialog should be popped up before launching any external app, (which Internet Explorer only started to do sometime this year), but this is inconsistent--external plugins, like Flash, don't get similar dialog boxes in any browser, even though such plugins have been exploited in the past. Also, some programs launch their own dialog warning the user of executing from untrusted environments, and having Mozilla also display a warning is redundant. Essentially, any program that registers itself as a plugin or web protocol is saying "I will take care of the security issues involved with my execution." Therefore, while known dangerous protocols like vbscript were blacklisted (that's why this particular bug is FIXED, even though the comments suggest awareness of the current problem), they didn't implement a whitelist (which I guess is the plan for 1.0) or a dialog box (which Internet Explorer now relies upon, foolishly) because it was not consistent with the behavior towards external plugins.

Presumably, with the bad press this has received, Mozilla has realized that Microsoft is going to put whatever-the-hell it wants to in as an external protocol, so unknown protocols should not be trusted. (Something that, apparently, Microsoft themselves has only realized in the last year or so.) shell: protocol is disabled in 0.9.2, and only whitelisted plugins will be trusted in 1.0. I think.

Re:A clear advantage

[bwy]

Very true- no software ever written has been 100% bug free. Mac, Linux, Mozilla etc. simply aren't targets for obvious reasons that are frequently brought up here.

The difference in large part in my opinon boils down to:

#1 WHO finds the bug. Is it the developers and community that discovers it in good faith, or is it a hacker and the rest of us find out after a billion dollars has been lost worldwide to the latest worm, virus, etc.

#2 As you said, how quickly is the problem fixed. Certainly, private companies aren't necessarily horrible at doing this, to spite what people say. I work for a small software company and assure you that any security issues with our product would be corrected promptly. By the same token, some open source projects w/o a steady lead or direction could have exploits that go unfixed for some time.

However, based on my observations and considering those two points, I'd say I certainly feel better using Firefox than IE.

Re:A clear advantage

[Wofser]

"#1 WHO finds the bug. Is it the developers and community that discovers it in good faith, or is it a hacker and the rest of us find out after a billion dollars has been lost worldwide to the latest worm, virus, etc." The problem is not who find out about it. The problem is that a big portion of the users dont upgrade. I mean the latest 4-5 big worms did not use any unknown exploits. It used old and well documented exploits, exploits that you could find example-code for. Copy-paste-compile!!

Re:A clear advantage

[bwy]

The problem is that a big portion of the users dont upgrade.

One good thing, though. I've noticed a lot of larger companies are managing their desktops more tightly than they were a few years ago. Also shops running Citrix and Citrix-type environments have an advantage here... rather easy to make sure your users get the latest and greatest.

Home users are largely a lost cause however. Your average Joe isn't going to go out downloading update patches. The Windows Update or Software Update (Mac) type things work pretty well but I'm just not sure how many users use them and they don't cover 3rd party apps.

Re:A clear advantage

[mobets]

lol, you forgot the semicolon after the pritf line...

#include
int main()
{
printf("Hello World\n");
return 0;
}

Re:A clear advantage

[Aldurn]

You forgot to HTML-escape the #include line, and you misspelled "printf" :)

#include <stdio.h>
int main(int argc, char **argv)
{
printf("Hello World\n");
return 0;
}

Re:A clear advantage

[mingot]

Would you use printf to diplay the error message if it did?

Re:A clear advantage

[Aidtopia]

Except for the semicolon, as the other poster pointed out, this does have some portability problems. Not sure if you'd call them bugs or not.

#include<stdio.h>

You could argue that a preprocessor should allow this, some will indeed choke because there's no space before the <.

return 0;

The 0 is returned to the operating system, but operating systems have different rules for what return values mean. For example, in VMS, even numbers are errors, and

return 0;

will generate a nasty error message upon completion.

Some people argue that the compiler should return "success" when the code says to return a 0. I haven't read anything official that supports that. And if so, how would you return a 0 if that's indeed the error you need to return to the operating system?

For maximum portability with ANSI C, you probably want to do something like this:

#include <stdio.h>
#include <stdlib.h>

int main(void) /* void makes it clear this is ANSI, not K&R */
{
printf("Hello, World!"); /* note ',' for proper grammar */
exit(EXIT_SUCCESS);
/*NOTREACHED*/ /* Let lint know, that you won't get here. */
return 0; /* silences compiler warning */
}

[Slashcode says to use <ECODE> instead of <PRE or <CODE, but how do I inline code or do indentation with <ECODE>?]

Even his sig has a typo!

Re:A clear advantage

[Anonymous Coward]

Bullshit. The same e-Week article points to the Bugzilla discussion. Since Bugzilla refuses links from slashdot, I have copied the first post for bug 167475. Note the date and tell me about the "clear advantage".

Opened: 2002-09-09 04:41 PDT

As we can see in bug 163648, external protocols can cause a lot of security
issues. But exploits for this bug are dangerous mainly if external protocol
handler is being requested automatically from HTML code via <IMG
SRC="externalprotocol:URL">, <IFRAME SRC="externalprotocol:URL"> and other
similar cases.

More, with relation to common sense, invoking an external protocol is absurd in
this case, because <ANYTAG SRC="..."> is request to return some data in browser,
not for launch external application.

So, disable external protocols in all cases, excluding <A HREF=>, can solve this
problem.

Marking severity critical according to 163648.

Re:A clear advantage

[ron_ivi]

This incident underscores why many use or have switched to Firefox: vulnerabilities discovered and promptly fixed. Not weeks and months from their publication--and not by another vendor--....

But some people [technewsworld.com] seem to be of the opinion that too many patches would be confusing.

"Ballmer said one key improvement will be a simplification of the way patches are distributed. Microsoft plans to move to a monthly patch release schedule, which he said will make it easier for network administrators to plan updates, which often require system shutdowns before installation."

If this other vendor is right that people want no more than monthly patches, such a fix may have to wait weeks.

Re:A clear advantage

[lseltzer]

Not quite done yet. You have to restart your browser first.

Re:A clear advantage

[Anonymous Coward]

No, the web page was tampered with and you are now broadcasting spam.

Re:A clear advantage

[Anonymous Coward]

Valid point. Inspect the XPI before installing it. It's a ZIP file which contains two js files. "install.js" copies "bug250180.js" into the default-prefs folder. "bug250180.js" creates the preference string "network.protocol-handler.external.shell" with the value "false", which disables this particular handler.

The complete content of these files:

bug250180.js:

// block shell: protocol handler (bug250180)
pref("network.protocol-handler.extern al.shell", false);

install.js:

if (SUCCESS == initInstall("Patch for bug 250180","mozilla.org/bug250180","1.0.0.0"))
{
&n bsp; var prefDir = getFolder("Program", "defaults/pref");
var err = addFile( "", "bug250180.js", prefDir, "");

if (err == SUCCESS)
performInstall();
else
cancelInstall(err);
}

...or something similar to that, which I can't show here because Slashcode fucks it up.

Re:A clear advantage

[tunah]

Bah, if they were really onto it, they would have embedded the exploit in the slashdot page and use it to patch your browser without clicking ANYTHING!

Re:A clear advantage

[Maradine]

And for those who would like the actual URL . . .

http://bugzilla.mozilla.org/show_bug.cgi?id=1674 75

Forgive me. I'm an idiot when I'm flamebait.

Re:A clear advantage

[roca]

That is not a report of this or any other vulnerability. It's simply a suggestion for a change that would have provided a defense in case a vulnerability like this one was discovered. I agree we still should have done it, and hopefully will do it now...

RTFBR

[jefu]

(Read the F-ing Bug Reports)

Reading the bugzilla entries for this and related bugs (an earlier post has the bugzilla url for this bug) is interesting in itself.

It shows that the developers well understood the security implications of the bug - but they were also trying to fit the browser into the MS scheme of things in which programs seem (I'm not a windows expert at that level) to be able to register protocols (shell:, vbscript:, irc:) that they get to handle. Disabling this in windows would then lead to Mozilla/Firefox behaving differently than they've come to expect.

It was further pointed out that mozilla could require a "yes" click in a dialog window, but that that would lead to other security issues.

Interesting reading.

And now for some helpful links:

[strictnein]

And now for some helpful links:

Note: If you click on download links for firefox on the main page of mozilla.org [mozilla.org], you get 0.9.2 [mozilla.org]. The link on the firefox page @ http://www.mozilla.org/products/firefox/ [mozilla.org] still gets you 0.9.1 [mozilla.org]. The link on the main page for the Linux version of Firefox still points to version 0.9.1. It seems that if you want 0.9.2 for Linux you'll have to compile it yourself [mozilla.org].

0.8 [mozilla.org]
0.9rc [mozilla.org]
0.9 [mozilla.org]
0.9.1 [mozilla.org]
0.9.2 [mozilla.org]

And a direct link to the newest release for the really lazy:
Windows 0.9.2 [mozilla.org]

The question is, what is the shellblock.xpi [newaol.com] for?

Does Bugzilla know? Sorry, links to Bugzilla from Slashdot are disabled. Ook!

Re:And now for some helpful links:

[hallucination]

No need for a linux release..... Read the article:
Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000

Re:And now for some helpful links:

[sgtsanity]

The shellblock.xpi works to patch the 0.9.1 release. The only difference between 0.9.2 and 0.9.1 is that one of the preferences is a different value by default. So, if you have 0.9.1 already, there is no need to download the 0.9.2 release. You can just patch it using the .xpi link on mozillazine.

Blast!

[darth_MALL]

"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000"...there goes a perfectly good Ha-Ha!. You've bested me this time *NIX...But you haven't seen the last of ME! BWAHAHA!

Re:Blast!

[AuMatar]

Sure we have. I haven't seen an ME installation in years.

Re:Blast!

[mbourgon]

I feel safe, though... my 98 box is still immune.

Only recent Mozilla bug.

[homeobocks]

I guess that this is a big deal because I can't remember the last time Mozilla had a remote hole in it.

Re:Only recent Mozilla bug.

[Carnildo]

Strictly speaking, it's not a hole in Mozilla. It's a "feature" that can be used to turn local holes in other software into remote holes.

Here we go again...

[LostCluster]

I can't help but think that this thread from earlier today [slashdot.org] can be seen as good news from a security context...

Just how does Mozilla/FireFox think it's going to keep malware from tricking the users into granting permission when the clueless masses come over from IE?

And this line says all I need to know

[GMFTatsujin]

"Researchers are reporting another security issue in Web browsing under Windows"

Sounds like a Windows problem, not a Mozilla problem. Oh, wait a minute...

Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle.

Ding! Next. However:

The attacker would have to know the location in the file system of the program

So just in case, I'm renaming my /bin, /sbin, and /usr directories to /zurg, /mumph, and /splunge. Bring it, you haxx0rs!

Re:And this line says all I need to know

[Telex4]

The attacker would have to know the location in the file system of the program

So just in case, I'm renaming my /bin, /sbin, and /usr directories to /zurg, /mumph, and /splunge. Bring it, you haxx0rs!

Well now you've blown it!

Hint: Security through obscurity requires obscurity.

Huh?

[nettdata]

malicious persons are much more unlikely to target any vulnerabilites

I disagree... if anything, malicious people are MUCH more likely to target vulnerabilities.

Open Source Collaboration

[ZZeta]

Of course bugs will appear in Firefox.
Nobody in their right mind can expect a product to be perfect, but what makes Mozilla different is that bugs are fixed instantly. And that's because of the open source community, which is far more reliable than the competition.
People might disagree with me, but I still think these bugs (and their immediate fixes) only show how great open source really is.

Re:Open Source Collaboration

[roca]

That's not a report of this vulnerability. It's a comment about a proposed change that might have prevented this vulnerability, had it been implemented. At the time, there was no known actual vulnerability that demanded the change.

Re:Open Source Collaboration

[jesser]

That's not a report of this vulnerability. It's a comment about a proposed change that might have prevented this vulnerability, had it been implemented. At the time, there was no known actual vulnerability that demanded the change.

The proposed change wouldn't even have prevented this vulnerability. It would have increased the requirement to exploit it from "Get the victim to visit your site" to "Get the victim to visit your site and click a link".

Re:Open Source Collaboration

[Christopher Whitt]

As the other posters have said, all over, the bug was opened in Sept 2002. Not far from 2 years ago.

As other posters have been mistaken, so are you. The bug linked to in the /. article is 2 years old, but the correct bug (250180) is one day old. Fixing the 2 year old bug would have only removed some of the methods of activating the underlying Windows bug, not all.

Microsoft bug which affects Firefox

[Anonymous Coward]

This is NOT a firefox bug. It is a bug in an external protocol in windows - of which Mozilla calls. The fix is to disable ALL external windows protocols. (bittorrent, mirc, etc)

This proves once and for all

[dicepackage]

How dangerous Mozilla can be. Everyone should be listening to Microsoft and use a secure browser such as Internet Explorer that isn't littered with security vulnerabilities.

Strange coincidence?

[hunterx11]

Isn't this a bit like the bug that Safari (and OS X URI handling in general) had earlier? [slashdot.org]

Update system

[supercytro]

Whilst it's easy to take pot-shots at Microsoft when it comes to IE, their update system isn't too bad. Firefox needs a easy to use mechanism for automatically retreiving and installing critical update, in a manner similar to MS windows update service.

Even better, take a leaf out of Norton's liveupdate program.

Re:Update system

[galaga79]

There is an auto-update for Firefox, take a look at Options > Advanced > Software Updates.

By default it will periodically check for updates for the main program and extensions. You can even set it up to automatically download and install these updates.

Incorrect bug link

[jesser]

Eweek and Slashdot linked to bug 167475, implying that Mozilla developers knew about this hole in 2002. Fixing bug 167475 would have done approximately nothing to protect Mozilla users against the shell: hole in Windows, and that is why bug 167475 hasn't been fixed.

The correct bug number for this hole is bug 250180.

Concern has been around since 2002

[DragonHawk]

The security exposure is apparently due to the fact that Mozilla, running on MS-Windows, will hand off any "URI scheme" Mozilla does not recognize to the OS. This only happens on MS-Windows. Since Windows may (and indeed, does, by default) know about URI schemes that do things you would not want a web page doing (like run programs), this is considered a problem for Mozilla.

I have to agree that this is a Mozilla issue. To use a slightly contrived comparison: I read my mail using UW Pine. If someone sends me a script via attachment in email, I do not want Pine to test and see if the interpreter in the she-bang line is available on the host OS. My OS is not my mail reader; I do not want my mail reader allowing everything my OS can do. Ditto my web browser.

There appear to be at least three Mozilla Bugzilla Bugs related to this (likely a lot more):

#1 = Mozilla Bug 163767 (20 Aug 2002)
"Pref to disable external protocol handlers"
http://bugzilla.mozilla.org/show_bug.cg i?id=163767

#2 = Mozilla Bug 167475 (9 Sep 2002)
"Disable external protocol handlers in all cases, excluding <A HREF"
http://bugzilla.mozilla.org/show_bug.cgi?id =167475

#3 = Mozilla Bug 250180 (7 Jul 2004)
"Shell: protocol allows access to local files"
http://bugzilla.mozilla.org/show_bug.cgi?i d=250180

It appears that Mozilla developers have been worried about this kind of problem going back to at least Aug 2002 (see #1 above). #1 talks about an option to disable external protocol handlers (URI schemes) by default. I have to say that would be the right thing to do. "Secure by default" is the correct approach.

#2 talks about an approach that uses context to determine if an external handler should be invokved. Basically, it assumes that if a user clicked a link, they wanted to invoke the handler; anything that happened implictly (such as image loading) should not invoke an external handler. I do agree with those who commented (in that bug) that this is not the right approach. It adds complexity, and it still fails to address the fact that clicking a link is not something that should just up and run anything the web page wants. If I wanted that, I'd use MSIE.

#3 is a reference to the "shell:" URI scheme in particular being abused this way. It blocks the "shell:" scheme to prevent that abuse. It does nothing to prevent abuses of other possible schemes, though. I suspect we may see this "feature" of Mozilla rear its ugly head again in the future.

This is not a failure of Open Source in particular. Nor does it prove Mozilla is crap or Microsoft is okay after all. It means that people make mistakes. This should not surprise anyone. Stop pointing fingers and fix the problem.

Intentional

[kyjello]

This is added intentionally so that Mozilla contains all of the features of Internet Explorer.

Oh yes, that's right! I went there.

Blacklisting vs. Whitelisting

[Temporal]

The developers considered changing from scheme blacklisting to whitelisting, in which case all schemes and protocols would be disallowed unless explicitly allowed.

Duh.

I have been saying this for some time now: Never use blacklists. Always use whitelists.

If you forget to put an insecure operation on a security blacklist, you have a security hole. If you forget something on a whitelist, you just have an inconvenience.

I am disappointed that the Mozilla developers did not have enough common sense to use whitelists in the first place. But then, it seems like most computer security schemes are blacklist-based, which explains why computers are so insecure.

Re:Blacklisting vs. Whitelisting

[ZorbaTHut]

Eww.

One of the big disadvantages to the whole blacklist/whitelist things is, indeed, inconvenience. But you seem to be thinking it's just a minor inconvenience where, to a lot of people, it's major.

Example: A while ago (I don't know if they still do, but it wouldn't surprise me) Unreal registered unreal:// to open games. You didn't have to do anything, it just worked. A lot of sites relied on this (click hyperlink, open unreal, badabing badaboom).

Now, if the web browser used a whitelist, there's a few options. First off, it could be utterly impossible for Unreal to register even with user assistance - bzzt, this is bad. Remember, users want things to be easy.

Second, it could require the user to go through the steps to add unreal:// to their settings. Also bad, because the Unreal coders don't want to have to change their installer every time the interface changes. Plus it's irritating for users. Bzzt.

Third, it could ask the browser/OS to register itself, and the browser/OS could pop up a confirmation box. But we already know users can be duped into clicking just about anything ("You MUST click Yes for real 100% hardcore xxx porn!") and so this wouldn't exactly be a rock-hard barrier. Bzzt.

Fourth, it can do what it does now, which is also flawed. Bzzt.

I personally think solution 3 is the best one - but if Windows doesn't already have hooks for things like this, it might not be practical for Mozilla to add a happy little dialog. There might be a way to query the system about what it *would* do it if we happened to pass it an unreal:// url, then prompt the user to see if that's what they really want to happen, but I bet that's exploitable also ("What's this rundll thing? Oh, the line says 'free porn'! I'll click yes")

I'd agree that more security = better (and more convenience = better too - the trick lies in balancing the two), but just saying "we should use a whitelist" leaves so much undecided that it's almost useless.

Webpage should highlight the patch more

[klui]

It's really not obvious when you go to Mozilla.org that there's a patch available. It should be on the right-hand-side instead of down in the middle of the page on the left-hand side. Also, mozilla.org/products/firefox doesn't tell you there's a patch available!! Hopefully, my email to its webmaster will help fix this soon.

No problem for that other alternative browser...

[Rits]

Opera long ago decided to *not* pass on any protocol or scheme to the operating system, except for a few well defined cases (ftp, telnet, mailto). Users of Opera 7 can add specific protocols/schemes manually in the prefs if they want.

Lesson of today: there is always a danger in presenting yourself as 'the save alternative'. Proper engineering can reduce risks, but there are never garantees. Not that this example was especially worrying imho: you'd still have to be tricked to visit a specific website that plans to harm you. Not that likely unless you to tend to visit the bowels of the web...

Damn straight it's a bug in Windows!

[argent]

Not only that, but it's a known (almost) ten year old bug in Windows - the use of the same set of handlers for local and remote services - and one I've been trying to tell people about for that long.

Mozilla and Firefox should NOT be using this functionality, they should be doing ALL their own URL parsing and handling on Windows, Linux, Mac OS X, and so on, because they can *not* depend on the native OS to do security right.

Even Apple doesn't do it right (see how they 'fixed' the help: problem), and Microsoft has refused to fix it on their side even under threat of judicial dismemberment.

From the article:

Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows.

The only way to deal with this is ONLY use external handlers you know are safe, rather than using all but the handlers you know have holes in them. Anything else is just following Microsoft's lead into a decade of virus-mania.

This IS 100% Mozilla's fault

[MobyDisk]

...Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality...

I am shocked that everyone here is sticking on Mozilla's side. I love Mozilla, and have used it since the beta versions. I install it on mom & pop computers all the time for security. But this is definitely Mozilla's fault. Mozilla should not pass unknown protocols to explorer. IMHO, that defeats the purpose of Mozilla. That would be like coding Mozilla to pass ActiveX controls to Internet Explorer since it doesn't support them.

I treat Mozilla as a standalone app, and I consider that an advantage. I'm not vulnerable to scripting exploits, MS Office exploits, etc. But now I am told it passes some work to Explorer. I consider that a bug. I don't want it to pass everything except shell: to IE. I want it to pass nothing to IE.

How can I disable all external protocols

[MichaelCrawford]

Having looked over the relevant bug reports, I'm extremely uncomfortable allowing mozilla to use ANY external protocols.

Is there some way I can disable them all?

Re:Just to be fair...

[daeley]

Erm, the exploit is fixed. I hate hypocrisy as much as the next person, but RTFP.

Re:Just to be fair...

[plj]

Yeah. But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?

Last weekend, I converted three people from IE6 to Moz FF 0.9.1, based on the facts that it's more secure than IE. And now I'm reading that it has a critical issue (whether it is a bug or not, but it is an issue). How to get their machines pached without my intervention? Where is that big red bouncing icon that appears when starting FF, which says that "you need to install this/these updates immediately to keep your machine secure"?

Hello, FF developers! Critical FF updates are not found on windowsupdate.microsoft.com! [microsoft.com] Where is your own auto-update feature?

Re:Just to be fair...

[Kelson]

But where is the auto-update feature for Firefox á la Windows XP, OS X, YAST or Up2date?

Tools -> Options -> Advanced -> Software Update.

To check manually: Tools -> Extensions -> Update.

It's not perfect yet, but remember, it's still 0.9.x, not 1.0.

(Wait, you did want an answer, right?)

Re:Just to be fair...

[Carnildo]

Strictly speaking, it's not an exploit in Mozilla/Firefox. It's a hole that can be used to access exploits in other software -- basically, it can turn what was a local exploit into a remote one.

Re:bias

[bad_fx]

Seriously, what are you saying? That that statement isn't true?

Um, Seriously, if you think that's not true, you need to get your head examined - of course people are much less likely to target these vulnerabilities, because a much larger percentage of people currently use IE than firefox, not to mention that those who do use firefox are more likely to be at least slightly more savvy web users that their IE using conterparts. Hence there is less insentive for those with malicious intentions to target firefox (for now at least.)

So, how is the truth bias?

Re:bias

[azadam]

"A serious security flaw has been found. But don't worry, it's no big deal!"

It's just frustrating to hear people whine about security via lower market share, but then excuse serious flaws using that logic when it's convenient.

I don't, however, refute the point. I'm just of the camp that would prefer stories to at least feign subjectivity, and leave the opinion for the comments.

Re:Next!

[Carnildo]

Well, for all those who are browser-shopping, FireFox gets marked off the list of contenders. Who's next?

NCSA Mosaic?

No, it doesn't.

[SHEENmaster]

There are no known exploitations of this in the wild, so it in no way shows that attackers are going for the common denominator of Mozilla installations.

Also note that this is a problem with Windows URI Handler rather than Mozilla. Mozilla passes any protocol it doesn't understand to Windows, and Windows uses it to execute a local file. That's why this problem doesn't exist in anything but Windows.

This just goes to show that Microsoft makes insecure software, and that insecurity often bleeds into ot

Re:Two beefs...

[hkfczrqj]

I don't like that the entire package had to be updated

I don't like that either. Nor the mozilla devs. So they posted a patch via an extension [mozilla.org] to be applied to ff, tb and seamonkey.

Cheers...

Re:Congratulations

[Jane_Dozey]

Please point out the hypocrasy.
I don't hear the OSS community pretending their software has no bugs or holes.

Re:Firefox pass unknown protocol handlers to the O

[rjstanford]

Is it still security hole in Mozilla????

Yup. Because Mozilla, as a local application, has a much higher set of privs than a remote website does. This is basically taking code (high-level instructions, but code) from a known insecure zone and telling the OS to run it without any built-in safeguards. And what do you know: we have an exploit.

Here's a fun example of how IE gets it right. Take the URI file:///c:/windows/system32/mspaint.exe from another example on this discussion. Type that into start/run on a Windows box - it works. Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works. Toss that webpage onto a remote server and click on it - it doesn't work any more. Different behaviors for different levels of trust. Mozilla defeats this by passing things to the shell with the same level of trust as the user has given it, the local program, which includes the (necessary) ability to mess with the filesystem.

Re:What moron put in "shell:"?

[CTho9305]

RTFBug. Since MS decided programs should be able to register protocol handlers (e.g. irc://, telnet://), Mozilla behaves like a good little windows program, and passes any unknown protocols (shell://, vbscript://) to the OS. It's a flaw in the whole setup that windows uses here, and MS changed the behavior for XP SP2.

Re:Shellblock XPI...

[Wanderer2]

How can I check it is installed?

Try this page: test page [mccanless.us]

After I installed the patch (without restarting Mozilla), all four example links were available to click on. Clicking on the fourth link, marked "Clicking this could crash your system!!!" did cause Mozilla to go crazy. It kept opening new windows stupidly fast until it crashed.

After it died, I restarted it and went back to the page - now three of the links are completely disabled (I can't even highlight them), and the link that does work (the one with the example iframe exploit) has no malicious effect - the iframe no longer shows the Windows tip but is empty instead.

So my version of Moz clearly wasn't fixed until it had been restarted.

Re:I knew it!!!

[TrancePhreak]

Avant Browser [avantbrowser.com] and MyIE 2 [myie2.com] are both programs that make use of IE for displaying and both contain tabbed browsing.

Re:Where's the patch for 2000?

[Lanzaa]

for FireFox:
1. type "about:config" in your url bar
2. Find "network.protocol-handler.external.shell"
3. Change value to false

Thats all that you need to do to fix it.

Re:Mozilla VS IE

[smash]

If you RTFA, you'll notice that the problem is with Windows explorer - Firefox is simply passing links handled by explorer.exe to windows.

Also, if you RTFA, you'd realise this was supposed to have been fixed in a Windows service pack, but isn't.

So yes, I blame microsoft :)

Problem doesn't exist on any other OS running firefox...

smash.