This morning, Firefox 2.0 users were automatically notified of the availability of version 126.96.36.199, with the promise that this time around, a critical vulnerability concerning how the browser tries to parse malformed resource identifiers, is fixed for good.
In its security advisory this morning, Mozilla credited Windows security expert Jesper Johansson for articulating the original problem, which has hopefully led to this final solution.
“Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling,” the advisory reads, “which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 188.8.131.52 and older could be used to run arbitrary script.”
While Mozilla’s admission was arguably gracious and sincere, there’s a rational debate in the developer community over whether the real problem was caused by either major brand of Web browser — Firefox or Internet Explorer — or rather by the underlying Windows operating system which passes on the malformed argument in the first place.
Yesterday, the US-CERT bureau of the Dept. of Homeland Security indicated that Microsoft’s handling of the ShellExecute() API function, which was changed in systems where IE7 is installed, may be the true culprit. The implication there is that a danger may continue to exist so long as that critical function can pass non-standard parameters to programs it’s trying to launch, such as Web browsers.
The advisory then credits VeriSign security consultants Billy Rios and Nate McFeders for discovering that, when Firefox received a ShellExecute() call to the mailto:// URI identifier that included an officially disallowed null (%00) parameter, rather than launch the default mail client, Firefox would launch whatever application was responsible for the filename extension at the end of the URI.
Starting with version 184.108.40.206, Firefox will no longer launch external protocol handler applications without first asking the user. In the event that the site placing the external launch call isn’t trusted, it won’t launch any programs at all.
The exception is for the mailto:// protocol, where Firefox will launch the preferred mail client without asking the user. The advisory gives users a workaround, which involves editing the program’s about:config page, for having Firefox ask the user before launching the mail client.
Mozilla, Firefox, Protocol Handling Bug, URI Handling Bug, Security, Vulnerability, Bug, Flaw, Fix, Patch