Critical flaw found in Firefox 2.0.0.4

Security research firm Secunia has uncovered a security flaw in the latest version of Firefox (2.0.0.4) that it labels “highly critical.” The flaw can reportedly be exploited by malicious users in order to compromise a victim’s machine. Secunia describes the flaw as follows:

The problem is that Firefox registers the “firefoxurl://” URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the “-chrome” parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.

Secunia says it confirmed the vulnerability’s presence in Firefox 2.0.0.4 on Windows XP Service Pack 2, and that “other versions may also be affected.” Aside from simply avoiding malicious websites, Secunia CTO Thomas Kristensen tells CNet that system administrators can get around the hole by un-registering or removing the Firefox URI handler. Neither Kristensen nor CNet provides instructions for that procedure, however.

Comments closed
    • sigher
    • 14 years ago

    Analogy: Imagine you were a passenger on the titanic, it just sank and you are in the cold water, there are 2 life rafts near you, one is empty and one is commanded by the captain of the titanic, which one would you pick? The captain waves “come over here I’ll keep you safe”

      • Shark
      • 14 years ago

      I don’t get it.

        • sigher
        • 14 years ago

        HALP A SHARK!

    • 2_tyma
    • 14 years ago

    ive noticed hangs in this version? anyone else

    • cAPS lOCK
    • 14 years ago

    /[

    • Fighterpilot
    • 14 years ago

    Fireflop fanboys and XP dinosaurs get pwned.
    Vista+IE7 FTW!

      • Krogoth
      • 14 years ago

      No, fools that run as “Admin”, are not behind a firewall and are exploring questionable websites.

      Vista+IE7 are just about as worthless when you lack firewall protection, run as “Admin” and like visit questionable -[

        • ManAtVista
        • 14 years ago

        Visiting a web site with Vista/IE7 with security defaults has never resulted in malware, since no exploit can get out of the sandbox IE7 is run in under Vista, so no, visiting a ‘pron’ site even as admin is not unsafe. Turning off the firewall, well duh, you turn off the firewall and you may get exploited while doing nothing, but the user has to initiate that. That is sort of like saying seatbelts do nothing if you take them off.

    • indeego
    • 14 years ago

    For those running as adming{<:<}g §[<http://fileforum.betanews.com/detail/Sandboxie/1139521062/1<]§ :)

    • albundy
    • 14 years ago

    I’d rather sleep in the bottom bunk bed while Rosie and her fat friends jump up and down on the top bunk; I’d rather bait crocodiles with my manhood, before i ever use IE again.

    • stmok
    • 14 years ago

    Well, I’ve delibrately ran a demo vulernability with Firefox under Linux.
    => §[<http://larholm.com/vuln/firefoxurl.html<]§ I get a popup saying: "Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program." Other than that, nothing happens. This issue specifically requires a Windows system with both Firefox and IE installed. (I don't use Windows so its a non-issue for me). If you are paranoid or scared, you can just use a Linux LiveCD to do your web surfing until a patch is released.

      • sigher
      • 14 years ago

      I have IE and FF (with addons), when I try the exploit test I get a popup saying ‘an external application has to be opened to handle this requests, do you want to launch it?’
      Quite the bug isn’t it, I feel soo insecure.
      Yes when I try to goto test or dodgy sites with *[

    • ManAtVista
    • 14 years ago

    Meanwhile, protected mode IE7 on Vista continues to pay dividends with immunity to probably any hack that’ll ever get made.

      • sigher
      • 14 years ago

      “This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.”

      OK now IE flaws are counted as FF flaws then eh, nice job.

      • sigher
      • 14 years ago

      yeah IE7 is safe as houses (in new orleans), they had hotfixes out for IE7 even before it was officially out, and every patchday since.

        • ManAtVista
        • 14 years ago

        Yes, but they cannot be used to access a users files or system files when IE7 is run in protected mode on Vista. Try another disingenious argument if you like, I know computer security.

          • sigher
          • 14 years ago

          You obviously did not read the details of the security flaws found in vista but rely on the auto-update to hide the ugly truth, good for you, that’s what they made it for.

            • ManAtVista
            • 14 years ago

            Yea OK, sigher, why don’t you show me an IE7 exploit that can act outside of the sandbox Vista runs it in.

        • SGT Lindy
        • 14 years ago

        Are you one of those that also states that MS is slow to patch IE???? Compared to FF?

        I read it one way or the other from MS haters.

          • sigher
          • 14 years ago

          I resisted FF a long time, but the viruses IE shoved down my throat became so many I could no longer stomach it, that is when I went FF, where I discovered that yes it had some issues they were at least contained somewhat, I also discovered the plugins, and the plugins are such a gift that I’d call it one of the most rewarding things on computers today.

          Before I went FF I used some rightclick addition for IE that I made myself by manipulating the registry, a process that MS seemed to deliberately hide to help advertisers and the like, MS had a vested interest in helping companies by deliberately reducing functionality since the outset, that isn’t a new thing that only started with vista, they deliberately left holes in XP for advertisers to exploit, I think that’s rather clear and obvious, nobody is THAT incompetent, WMP for instance ran scripts in videos and jumped to embedded URL’s in videos, that isn’t a case of ‘oops’, that’s deliberately reducing security for advertisers for as long as possible, and that’s just one example.
          The fact that it took MS such a long time to add popup blocking is also quite telling, by the time they started on that there were already hundreds popup blockers from 3rd parties available, even graphiccard drivers added it to IE, now why do you think it took MS so long? seems obvious if you have half a brain.
          In short: I pity the foo that trusts MS for his security.

            • sigher
            • 14 years ago

            BTW, I acknowledge that MS took a new road in regards to security when gates stepped down partly, it seems the new model is for MS itself to harvest lots of info on the user and then disseminate it rather than letting 3rd parties do it themselves immediately without going through MS.

    • sativa
    • 14 years ago

    is there a way to unregister it via group policy?

    • Ryu Connor
    • 14 years ago

    Yet another exploit whose impact can be mitigated by not running Admin.

      • 5150
      • 14 years ago

      indeego? 😉

        • indeego
        • 14 years ago

        Even I’m sick of saying it by nowg{<.<}g 😉

    • eloj
    • 14 years ago

    Hmm.. when I try to open a firefoxurl://<whatever> the first thing I get is a warning.

    Disabling

    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations

    Didn’t seem to do anything either (maybe cached?), but the location looks more informational than declarative..

    Seems to be based on this: §[<http://sla.ckers.org/forum/read.php?3,12752<]§

      • Contingency
      • 14 years ago

      y[

    • alphaGulp
    • 14 years ago

    I got infected a few weeks ago by a pop-up add in Firefox. It has been a huge pain in the butt, since no virus checker has managed to remove it entirely, and only by running with my Active Desktop disabled am I able to disable the virus (otherwise it pops up adds and plays audio adds).

    Anyhow, I’ve been putting off re-installing the OS, since it’s such a pain having to do so, but I am practically certain the infection occurred when that pop-up was displayed in Firefox.

    Hopefully this is the vulnerability those bums took advantage of, and it will be patched soon. I am starting to wonder if I shouldn’t switch to Linux at home…

      • Kent_dieGo
      • 14 years ago

      I seem to remember fixing something similar. Start>Run>regedit and look in HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer for something funny and delete.

      Google Smitfraud

        • sigher
        • 14 years ago

        Very helpful NOT

          • eitje
          • 14 years ago

          don’t be rude!

            • sigher
            • 14 years ago

            laughing 🙂

      • DrCR
      • 14 years ago

      Yeah, definitely go Linux at home. Or at least dual boot. I use Linux 80-90% of the time, with that 10-20% in WinXP being basically just gaming. I actually prefer using Linux…even over Mac OS 10.4.9 that came on my new MBP.*

      *if anyone has efi figured out let me know lol.

    • SGT Lindy
    • 14 years ago

    How is that different from IE or Safari?

    They get bugs and based on the urgency they get patched. 50% of MS patches prior to IE7 were IE6 patches.

      • stmok
      • 14 years ago

      I don’t think you understand the issue.

      Its different because you specifically need IE, Firefox and Windows for this issue to execute. It doesn’t work with Firefox under Linux, BSD or Mac.

      You use Firefox as the attack vector to expose a Windows/IE flaw.

      l[<"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application,"<]l This is one of the reasons why I don't use Windows anymore. Its overall security is a joke, as you have to carefully consider its issues when you code up your application. You literally have to work around Windows's issues. To properly resolve this issue, (as in stop it from ever happening again), you need a patch from the Firefox team AS WELL AS fixes to Windows/IE. You'll get a fix from Firefox within a week or so, but you won't get much of a response from MS unless they consider it a major problem for them. (That's their criteria for patches...They don't care until it becomes an exploitable issue available on the web).

    • mac_h8r1
    • 14 years ago

    oh n0es w3 are to get t3h f1r3h4x0rz

    • shank15217
    • 14 years ago

    time for 2.0.0.5 anyways, i was getting tired of 2.0.0.4 with its even numbers..

      • nagashi
      • 14 years ago

      2.0.0.4 was so 2004 =/

        • crabjokeman
        • 14 years ago

        Was that a joke? I don’t get it.

        2.0.0.4 just came out on May 30.

      • RyanVM
      • 14 years ago

      And that to me is the best part of Firefox’ security model. Yes, vulnerabilities are going to happen – they’re inevitable with something as complex as this. But I’m willing to bet that we’ll see a 2.0.0.5 build out in the relatively near future which addresses this bug. And thanks to their auto update system, it should be widely patched shortly thereafter.

      FYI, here’s a link to the official bug on the matter.
      §[<https://bugzilla.mozilla.org/show_bug.cgi?id=384384<]§ Note that a fix is already posted and waiting to be reviewed and that the bug is blocking the release of 2.0.0.5 :-)

        • Shark
        • 14 years ago

        Patching is not a security model, unfortunately.

          • Corrado
          • 14 years ago

          What? Its not the model, its how you KEEP things secure. You design your security, and then when BUGS are found, you patch them.

            • Shark
            • 14 years ago

            RyanVM said patching was the best part of the model, please read his post.

            thanks.

            • RyanVM
            • 14 years ago

            You’re right, I misspoke.

Pin It on Pinterest

Share This