Typically, Microsoft-based zero-day flaws are disclosed the day after Patch Tuesday. This month, however, claims are circulating about a new one on the very day of Microsoft’s July patch release. But opinions are mixed on whether this is really a problem for Internet Explorer or Mozilla Firefox.
Researchers Billy (BK) Rios, Nate Mcfeters, Raghav “the Pope” Dube and Thor Larholm are all reporting an issue affecting one or both browsers.
Larholm had this to say in his blog:
“There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols. This is the same type of input validation vulnerability that I discovered in the Safari 3 beta (see Safari for Windows, 0day exploit in 2 hours). When Firefox is installed it registers a URL protocol handler called FirefoxURL. When Internet Explorer encounters a reference to content inside the FirefoxURL URL scheme it calls ShellExecute with the EXE image path and passes the entire request URI without any input validation.”
Exploiting the issue would permit a remote attacker to influence command options that can be called through the ‘FirefoxURL’ handler and therefore execute commands and script code with the privileges of a user running the applications, Symantec adds.
In an email to SearchSecurity.com, Secunia CTO Thomas Kristensen said his firm tested the flaw and found that it’s a problem for Firefox and not Internet Explorer.
“Since Firefox 18.104.22.168, a new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the “firefoxurl://” URI was called (like ftp://, http://, or similar would call other applications),” he wrote. “However, the way in which the URI handler was registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when firefoxurl:// is activated. Due to the implementation of the “-chrome” parameter, it became possible to inject code that would be executed within Firefox.”
That’s a lot of technical detail, but the simple thing for users to remember is that they shouldn’t browse untrusted Web sites.