14 DAY TRIAL // Internet Explorer 7, Firefox 2.0 and Safari 3.0 share similar security vulnerabilities on Windows Vista. Still, Microsoft's latest operating system is by no means the only platform affected by the flaws associated with the three browsers. The list of impacted operating systems ranges from Windows 2000 to Windows 98, Windows ME, Windows Server 2003 and Windows XP. Security researcher Thor Larholm first pointed out an input validation vulnerability in Safari 3.0 following the release of Apple's browser for 32-bit and 64-bit Windows XP and Windows Vista on June 11. Now, he managed to prove that the same type of flaw resides within Internet Explorer 7 and Firefox 2.0.
However, Larholm stressed the fact that Vista users are only vulnerable if they have both Internet Explorer 7 and Firefox 2.0 installed on the same machine. The zero-day vulnerability is brewed only through the combination of IE7 and Firefox 2.0, and had been dubbed the Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection vulnerability. The zero-day in this context is an example of the worst from both worlds...
"There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols. When Firefox is installed it registers a URL protocol handler called “FirefoxURL”. When Internet Explorer encounters a reference to content inside the FirefoxURL URL scheme it calls ShellExecute with the EXE image path and passes the entire request URI without any input validation," Larholm said.
However, due to the fact that both browsers are involved in the attack, there is a certain level of controversy over which of the applications is at fault. Microsoft, for example, revealed that it does not plan to issue a security update. In contrast, Mozilla announced that it would patch the Firefox vulnerability with version 2.0.0.5, although using the open source browser does not expose users to risks coming from this issue. Only IE7 plus Firefox 2.0 is the right recipe to enable attacks, although Internet Explorer 6 has also been reported as vulnerable.
"Firefox is the current attack vector but Internet Explorer is to blame for not escaping characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely," Larholm explained.