Internet Explorer - Firefox Cross Browser Vulnerability

Featured Resource:

Secunia is reporting a cross browser vulnerability which allows Microsoft Internet Explorer to invoke Mozilla Firefox running Javascript code which calls arbitrary commands.

Security Fix notes security researcher Thor Larholm who finds fault with IE:

Meanwhile, security researcher Thor Larholm, who discovered a similar bug in Apple's beta version of its Safari browser for Windows, said the problem is that IE doesn't properly filter out such requests when a user clicks on a specially crafted link.

Larholm goes into more detail in a quote on ZDNet's Zero Day, referring to IE's lack of input validation:

The latter [lack of input validation] can be evidenced by the fact that you can inject arbitrary arguments to a wide range of other URL protocol handler applications, such as irc:// (mIRC), aim:// (AOL Instant Messenger), hcp:// (Windows HelpCenter) and mms:// (Windows Media Player) to name just a few.
This is a generic flaw in Internet Explorer that has been left unpatched since at least 2004.

Secunia sees the vulnerability as a Firefox flaw:

The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.

The vulnerability is confirmed in Firefox version 2.0.0.4 on a fully patched Windows XP SP2. Other versions may also be affected.

Looks like there are corrections that can be made in both Firefox and IE. Mozilla is working on a patch. Microsoft claims this isn't their problem, but since when is an injection flaw not a problem for the program that is exploited?

Injection flaws are number 2 on the Open Web Application Security Project (OWASP) Top 10 List of Web Application Vulnerabilities. Others take the OWASP seriously:

The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency has listed the OWASP Top Ten as key best practices that should be used as part of the DOD Information Technology Security Certification and Accreditation (C&A) Process (DITSCAP).
In the commercial market, the Payment Card Industry (PCI) standard has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten.

If Larholm is right and this injection flaw has existed in IE since 2004, Microsoft should just fix it once and for all. This is no time to for those living in glass houses to be throwing stones.

Recent Posts

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net

Site Sponsor:

Now Available:

Featured Resource:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert