The Truth Behind the IE-Firefox Exploit

With news of a cross-browser exploit emerging this week, security researchers have been debating whether to point the finger at Microsoft and its Internet Explorer browser or Mozilla and the Firefox browser. Secunia CTO Thomas Kristensen is now saying that researcher Thor Larholm is incorrect in his assessment that Firefox is not to blame.

Before the sun set on Microsoft's Patch Tuesday this month, security firm Secunia discovered a vulnerability in Firefox that malicious hackers could exploit to compromise a user's system. Here's the catch: Exploiting the bug depends on interaction between Mozilla's browser and Microsoft's Internet Explorer.

While security researchers did plenty of finger-pointing earlier in the week -- with some saying Microsoft is to blame and others holding Mozilla responsible -- the issue has yet to be resolved.

Secunia said the Firefox flaw should be ranked alongside Microsoft's July patches in terms of priority. Why the urgency? The Firefox flaw represents an active zero-day exploit, according to Paul Zimski, senior director of market strategy for PatchLink, a provider of vulnerability-management solutions. The good news, he said, is that the risk is limited to those who have Firefox or later installed.

Anatomy of Cross-Browser Bug

The root of the matter is a Firefox uniform resource identifier (URI) that allows Web sites to force Firefox to launch with the "firefoxurl://" URI, Secunia reported. The way in which the URI handler is registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when the "firefoxurl://" URI is activated.

Due to the implementation of the "chrome" parameter, it is possible to inject code that would be executed within Firefox, said Thomas Kristensen, CTO of Secunia.

"Running JavaScript in 'chrome' context within Firefox is essentially the same as executing arbitrary code and allows an attacker to take any actions on the local system with the same privileges as the active user," Kristensen explained. "Registering a URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application."

Improper use of URl handlers and parameters supplied via URls has historically caused problems for many vendors, including Microsoft, Apple, Mozilla, certain Linux projects, and Opera. But the blame in this case falls squarely on the shoulders of Firefox, Kristensen insisted. Mozilla has publicly announced it is working on a fix.



Post your Feedback about information available on this page.