Mozilla Admits Firefox Exploit Caused by Firefox Bug, Not IE

On July 10, engineers at Secunia issued a security advisory, rated "Highly Critical," warning Firefox users that their browser could be tricked into executing arbitrary JavaScript code. Soon afterward, Mozilla developers issued a statement saying the problem was caused by Internet Explorer, which could trick Firefox into executing that code. This morning, Mozilla security chief Window Snyder had to issue a retraction, stating Firefox could just as easily trick Firefox into doing the same thing.

The problem was first discovered by security engineer Thor Larholm, who gained recognition last month for having discovered a security hole in Apple's Safari for Windows pre-release two hours after having first obtained it. This time, Larholm reported his discovery as an "Internet Explorer 0day Exploit," by virtue of the fact that IE was the attack vector he originally discovered.

Specifically, the problem concerns the fact that Firefox registers the firefoxurl:// resource identifier, whose handler is capable of running JavaScript code intentionally embedded in a URI that uses that identifier. On the day Secunia publicly reported Larholm's discovery, Mozilla took steps to allay users' fears, posting on its security blog, "It is important to note that if you are using Firefox to browse the web you *are not* vulnerable to this attack."

Later that day, information security expert Jesper Johansson wrote that although he could not get Larholm's exploit to behave exactly as he described, he could eliminate any possibility of the exploit altogether simply by unregistering Mozilla's own handlers from the command line. The direct implication there was that Firefox was not vulnerable because Firefox was responsible.

Meanwhile, Mozilla's security blog repeated a Microsoft spokesperson's comment that it would not be issuing a patch for the exploit.

On July 18, Mozilla released Firefox 2.0.0.5, ostensibly to manage the problem of Firefox receiving maliciously crafted URIs from IE. On her security blog that day, Mozilla's Snyder commented, "This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to."

That comment prompted Johannson - a former security program manager at Microsoft - to issue this retort two days later: "Well Window, those who sit in a glass house should not be throwing stones." He then demonstrated that Firefox might not be susceptible to this problem at all if it followed the standard for URIs, which mandates that quotation marks - a critical character in JavaScript code, especially to demarcate filenames - must be filtered out.

"Following Mozilla's, and Thor Larholm's logic," Johansson wrote, "Firefox is subject to the exact same flaw that they blame on IE! Firefox also does not escape quotes in URLs before it passes them on to protocol handlers. I won't speculate here on why they failed to fix that 'flaw' in the new version of Firefox that was just released."

This morning, Snyder was forced to concede the point. "We thought this was just a problem with IE," she wrote. "It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we're investigating it now."

30 Responses to Mozilla Admits Firefox Exploit Caused by Firefox Bug, Not IE

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.