Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Pointing fingers

Momma always said every time you point a finger, three more are pointing back at you. Well, there was a lot of finger pointing going on the last few weeks between IE and Firefox over a vulnerability in url handlers, and a recent twist continue to stir things up.
First when the safari beta came out, Thor Larholm discovered you could use it to send unescaped data to Firefox's registered url handler if it was installed. Apple fixed the behavior in Safari, and the world moved on.

Then it was pointed out that IE was also prone to sending unescaped data to Firefox, and this could in turn be used to force Firefox to take any system commands or actions on the local machine just by visiting a page in IE. Here's where the finger pointing begins.

IE claims it's not a bug in IE and Firefox needs to be more careful about the input it accepts. Firefox contends that it's IE's job to sanitize the data since IE accepted it from the webpage and there's no way for Firefox to distinguish from that data and another local program using the URL handler.

In the end, Firefox fixed the vulnerability in their release by modifying their registered handler so that it is immune to this style of attack, but still point fingers at IE since many other applications are similarly vulnerable if they register URL handlers and so users are currently vulnerable to the entire class of vulnerabilities still.

Remember what momma said about pointing? It turns out Firefox is equally vulnerable and could be used itself for a nearly identical attack, not requiring IE this time. In all fairness, the Firefox team did fix the issue in the as-of-yet-unreleased Which is a good thing, because that fix happens to mitigate the attack found in the next episode of this little browser wars soap-opera.

  • 1