Wednesday, July 11, 2007

Cross-Browser Command Injection Vulnerability

How many Firefox users disable, remove or entirely stop using IE once they install Firefox?

A new vulnerability has been discovered that allows IE to call Firefox and pass parameters that could compromise a users system and allow a remote attacker to take complete control over your computer. As of this writing, there is no official fix from either Microsoft nor the Mozilla group. After an initial flurry of finger pointing, this looks to be the fault of BOTH organizations: IE for not validating calls to external URI's, and Firefox for using a registered handler method that is outdated and known to be insecure.

If you have Firefox installed, then you are probably safe if you only use Firefox and if you set Firefox to be your default browser. You can also de-register the handler that IE uses to call Firefox.

If you don't have Firefox installed, you are immune to this particular attack.

Standard warnings and disclaimers apply if you edit your registry manually! Do so at your own risk. If you are not comfortable with the process, then wait for an official patch and browse cautiously.

Find and backup (export), then delete the FirefoxURL "command" reg key and it's default value at:

The default value will look something like (depending on your Firefox install location):
@="C:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -url \"%1\" -requestPending"

Reboot . . .

Note that if you update Firefox this reg key may be re-written - which is fine if that update includes a future as-yet-to-be-released patch for this problem.

Details about the vulnerability may be found at:
(Including a "safe" test to see if you are vulnerable - good to use after you implement the reg-key workaround above.)

Edit: Workaround no longer needed. Get patched instead with the new version of Firefox: