Mozilla Firefox 2.0.0.8 Critical Update - Windows Pwn Firefox

Updating Firefox is really becoming a trends. Just a month after the recent update there is new securities issue with Mozilla’s Firefox Browser. Squashing browser bugs is a tedious chores for Mozilla’s Developer. So kudos for their quick response.

Latest update fixes various securities holes and patched the popular memory corruption bugs. Also with this new release Mozilla’s Firefox has drop all support for Mozilla’s Firefox version 1.5.0.x. So any user with older version is encourage to update their browser.

Known Vulnerabilities List by MFSA

• MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
• MFSA 2007-35 XPCNativeWrapper pollution using Script object
• MFSA 2007-34 Possible file stealing through sftp protocol
• MFSA 2007-33 XUL pages can hide the window titlebar
• MFSA 2007-32 File input focus stealing vulnerability
• MFSA 2007-31 Browser digest authentication request splitting
• MFSA 2007-30 onUnload Tailgating
• MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)

URI Protocol Abuse

Last month Billy Rios, Nate McFeter and Raghav “the Pope” Dube discovered the exploit on remote command execution in Firefox with the URI handler protocol

Excerpt from Billy Ross’s

Once again, these URI payloads can be passed by the mailto, nntp, news, and snews URIs, allowing us to pass the payload without any user interaction. So, it seems that although the conditions which allowed for remote command execution in Firefox 2.0.0.5 have been addressed with a security patch, the underlying file type handling issues which are truly the heart of the issue have NOT been addressed.

You can read more on this issue at Billy Ross’s blog - Firefox File Handling Woes .

What the hell is XPCNativeWraper pollution?

Bugzilla title can be damn confusing. MFSA 2007-35 - “XPCNativeWrapper pollution using Script object” - Its the same vulnerability from previous update on Firefox 2.0.0.5 . ATM Mozilla has closed (I removed the link 404) all informations regarding this issue (it turns out all the past references return 404 :( ). So i had to digg down further on ISS X-force and CVE to get more info regarding this exploit.

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an unspecified error related to the handling of XPCNativeWrapper. An attacker could exploit this vulnerability to execute arbitrary code on the affected system or cause a denial of service, if the attacker could persuade a victim to visit a malicious Web page or open a malicious HTML email.

I think this is the most important issue for the new release. Because every search on Mozilla turn out 404 and private. I hope somebody can explained this further.

Pref setup to prevent malicious URI exploit

I found this snippet code from one of regular commenter at Billy Ross’s blogs. You might need to head on Mozilla prefs guide before applying the below hacks.

Firefox Preferences settings (pref.js)

This settings will throw a Firefox confirmation box before opening external third party applications (ie. thunderbird, outlook). So you can prevent any programs from being launched without permission. example: mailto links (ie: billgates@microsoft.com).

user_pref(”network.protocol-handler.warn-external.mailto”, true);
user_pref(”network.protocol-handler.warn-external.news”, true);
user_pref(”network.protocol-handler.warn-external.nntp”, true);
user_pref(”network.protocol-handler.warn-external.snews”, true);

Simon says, Both is Guilty

It seem like Mozilla’s Firefox is just as guilty like Microsoft’s for passing dangerous data to third party applications. Firefox should have its own registered URL handler & DDE instead of relying on Microsoft’s.

Same with Apple (quicktime pwn firefox).

Related links

• Download Firefox 2.0.0.8
• Remote Command Exec (FireFox 2.0.0.5 et al)
• Escape URIs when passing them to external protocol handlers