Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Quickies

kdawson posted more than 7 years ago | from the three-twisty-little-items-all-different dept.

Mozilla 245

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar2 extension.

Sorry! There are no comments related to the filter you selected.

Firefox (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19820301)

Only a few more years and it'll be competing directly with IE. It terms of shittyness that is.

Demonstration (5, Informative)

blhack (921171) | more than 7 years ago | (#19820335)

Demonstration

Cmd.exe [firefoxurl]
This should launch cmd.exe....

Notice that you must click that link from internet explorer, firefox will warn you that an external application is being called.

above example taken from here [xs-sniper.com]

Re:Demonstration (5, Funny)

froggero1 (848930) | more than 7 years ago | (#19820371)

Weird, I get an error message:

"Iceweasel doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program."

and when I try to open this "ie" program:

"~ $ ie
bash: ie: command not found"

maybe there's something wrong with your operating system?

Re:Demonstration (5, Funny)

Anonymous Coward | more than 7 years ago | (#19820699)

Hey, 1996 called, and they want their snooty, elitist, linux user tude' back.

Re:Demonstration (3, Funny)

stonedcat (80201) | more than 7 years ago | (#19820785)

Brought to you by Microsoft TimePhone98-SE (patent pending).

Re:Demonstration (3, Funny)

Anonymous Coward | more than 7 years ago | (#19821223)

yes and we still have reasons to laugh at windows.

Re:Demonstration (0)

Anonymous Coward | more than 7 years ago | (#19821051)

hmm, so you don't have a program called "ie", so there's a problem with _his_ operating system?

BTW, it's iexplore, not ie ;)

Re:Demonstration (2, Informative)

blhack (921171) | more than 7 years ago | (#19820375)

Correction (something went goofey when i copy and pasted.

this [firefoxurl] ..will launch cmd.exe

If you open this in firefox (as most of you probably are usuing firefox, since this is slashdot), it warns you that something is trying to launch an external application.

once again, the above example was taken from Here [xs-sniper.com]

Re:Demonstration (1)

blhack (921171) | more than 7 years ago | (#19820393)

DARN YOU SLASHDOT!!!!!!!!!!!!!!!

stop stripping my links! >:-O

the link in full txt is THIS:

a href = 'firefoxurl:test" -chrome "javascript:C=Components.classes;I=Components.inte rfaces;file=C[@mozilla.org/file/local;1].createIns tance(I.nsILocalFile);file.initWithPath(C:+String. fromCharCode(92)+String.fromCharCode(92)+Windows+S tring.fromCharCode(92)+String.fromCharCode(92)+Sys tem32+String.fromCharCode(92)+String.fromCharCode( 92)+cmd.exe);process=C[@mozilla.org/process/util;1 ].createInstance(I.nsIProcess);process.init(file); process.run(true%252c{}%252c0);alert(process)

Re:Demonstration (4, Informative)

dwarfsoft (461760) | more than 7 years ago | (#19820787)

Weird. On windows, with Firefox 2.0.0.4, and clicking on the cmd.exe launcher on the page that you linked to (and by creating my own html page) It just opens a blank tab. cmd.exe isn't launched.

Firefox 2.0.0.4 and IE6.

Doesn't even work from IE, just loads a blank tab in firefox. I guess I must be doing it wrong :D

Re:Demonstration (3, Informative)

Frizzle Fry (149026) | more than 7 years ago | (#19821593)

It's only supposed to work if you don't already have firefox open (and then you click the link in IE).

Re:Demonstration (1)

RealGrouchy (943109) | more than 7 years ago | (#19822047)

I take it that /. removed it from the link.

I dunno, I didn't follow the link.

- RG>

Those who ignore history are doomed to.... (1)

martin_henry (1032656) | more than 7 years ago | (#19821341)

curse the slashdot moderators and die.

Re:Demonstration (1)

xXenXx (973576) | more than 7 years ago | (#19820415)

Either your link is broken again, or the Debian team was right for forking (is that what they did?) Ice Weasel.

Doesn't it require IE first? (1, Informative)

khasim (1285) | more than 7 years ago | (#19820437)

From TFA:

The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web.

Sorry, can't try it right now as I'm on Ubuntu (Feisty Fawn). But I'll look into it tomorrow when I get to work.

SOMEONE is a little sensitive. (1, Troll)

khasim (1285) | more than 7 years ago | (#19821655)

Hey, don't get mad at ME if this "Firefox exploit" depends upon IE being insecure.

An application is only as secure as the system it runs on.

I'll stick to Ubuntu where I have a choice.

If that offends you, too bad. Get a life and stop trying to make a religious war out of an OS.

Re:Demonstration (0)

Anonymous Coward | more than 7 years ago | (#19821491)

Odd, it doesn't work for me. I just end up with a pop up box saying:

"Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program."

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

Re:Demonstration (1)

RobertM1968 (951074) | more than 7 years ago | (#19821583)

Same results as your previous link...

Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program.

Same Firefox 2.0.0.4 (on eCS)

Re:Demonstration (0)

Anonymous Coward | more than 7 years ago | (#19820419)

I'm getting a warning from Firefox either way...

Re:Demonstration (1)

BlueCollarCamel (884092) | more than 7 years ago | (#19821031)

Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program.

Re:Demonstration (1)

RobertM1968 (951074) | more than 7 years ago | (#19821549)

I know one similar response was modded funny, but this is truly what I got.

Firefox doesn't know how to open this address, because the protocol (firefoxurl) isn't associated with any program.

Firefox 2.0.0.4 (on eCS)

Re:Demonstration (1)

Henry V .009 (518000) | more than 7 years ago | (#19821637)

Vista UAC blocks it, interestingly enough.

Quick fix :-) (0)

Anonymous Coward | more than 7 years ago | (#19821765)

For firefoxurl:

Notice that removing the firefoxurl from Folder Options/File Types does not solve the issue, as FF rebuilds the association once it restarts.

So, here's another way that appears to work, at least in XP:

1- Click on the test link above (or run a firefoxurl)
2- When the dialog box opens, check the box to automatically apply the same answer in the future.
3- Press Cancel (and not OK)

firefoxurl should now be disabled without further dialog boxes. Enjoy

Finally (1)

suv4x4 (956391) | more than 7 years ago | (#19820347)

Finally!

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer

Earlier when Microsoft's IE team flew over to Mozilla HQ to ask them about their RSS icon, I knew it that's the beginning of a wonderful partnership.

this story sucks (0, Offtopic)

larry bagina (561269) | more than 7 years ago | (#19820349)

but anyhow, has anybody else been paying attention to the fx javascript additions? Stuff like let, Array.forEach, etc. And what's the deal with the javascript 2.0 proposal? Am I the only one that thinks they're trying to ruin it?

Re:this story sucks (1, Funny)

Anonymous Coward | more than 7 years ago | (#19821003)

Ruin JavaScript? I'm afraid it's far too late for that.

Ok.... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19820353)

There seems to be a security issue if you browse with Internet Explorer and have Firefox installed. I don't know of anyone who actually does this - in my experience, people either use Firefox or uninstall it. Perhaps that's just my experience, though?

Does anyone know anyone who has installed Firefox and nonetheless browses using Internet Explorer?

Re:Ok.... (4, Informative)

bhtooefr (649901) | more than 7 years ago | (#19820431)

There are some sites that don't work with Firefox.

Hell, I've got Firefox on my WIndows system (but Opera is my main browser,) and I usually end up using IE for some sites.

So do I. For ones I absolutely have to trust. (2)

khasim (1285) | more than 7 years ago | (#19820457)

Normally, I'm surfing with Firefox and NoScript and AdBlock and ....

It keeps me safe.

If a site doesn't work with that, then fuck them. I only need IE for some work related sites that have stupid ActiveX controls.

Mod up (1)

Bearhouse (1034238) | more than 7 years ago | (#19822039)

If the lame 'I use Opera post...' gets a 5, then so should yours! I should imagine that most users here do NOT use IE as their default browser, and if using Firefox, have it loaded up with Adblock, Noscript, phishtank...as do I

Re:Ok.... (0)

Anonymous Coward | more than 7 years ago | (#19821107)

which ones? I've never encountered one of these mythical sites...

Re:Ok.... (1)

dwarfsoft (461760) | more than 7 years ago | (#19821351)

MSDN [microsoft.com] didn't work with Firefox for a while back in the 1.x days. I had IETab to fix that. Seems to work fine for me now though. The local Intranet at work here doesn't get the menus working right (they unroll in the top left hand corner of the screen, no matter where they were supposed to) which makes browsing the intranet a hassle. Other than that I have no issues either.

Most people using Firefox wouldn't be browsing MSDN anyway, and only IT people where I work would be able to have Firefox installed, so its not really a big deal.

Re:Ok.... (1)

franksands (938435) | more than 7 years ago | (#19821929)

In Brazil, almost all internet banking sites require IE because of this or that. I think there must be some cases like this in other countries.

Re:Ok.... (1)

jshriverWVU (810740) | more than 7 years ago | (#19820441)

Yes QA testers. Or people who don't really pay attention and use Firefox normally. But when an app or email says "click this link" and IE is the default browser if pops up.

Re:Ok.... (1)

CrazyKen (1109907) | more than 7 years ago | (#19820449)

I use IE from time to time when some stupid web page isn't compatible with Firefox or when some stupid web page fails to render or process forms correctly even after disabling NoScript.

I saw a main reason why forms fail (1)

ericrost (1049312) | more than 7 years ago | (#19820551)

I actually figured out the issue on a intranet site at work. When IE (which has become the default expected behavior) passes a field into a url, if its blank it inserts a null character, when firefox does it, it omits the field. This borks code that doesn't expect the field to be omitted.

Re:I saw a main reason why forms fail (0)

Anonymous Coward | more than 7 years ago | (#19820959)

www.w3.org [w3.org]
 

If a control doesn't have a current value when the form is submitted, user agents are not required to treat it as a successful control.

 

A form data set is a sequence of control-name/current-value pairs constructed from successful controls

Re:Ok.... (1)

deepestblue (206649) | more than 7 years ago | (#19820505)

In fact, this is my primary usage model. I use IE 7.0 for most general browsing since it's "good enough" and it's actually more reliable than FF (crashes less often). But Firefox tabs are just way faster (actually, it's the other way around - IE tabs are horrendously slow). So for my morning-news scenario, I launch my RSS aggregator through FF and middle-click away.

Re: Firefox crashes (5, Informative)

bunratty (545641) | more than 7 years ago | (#19820573)

Firefox crashes for you? Read the MozillaZine Knowledge Base article about Firefox crashes [mozillazine.org] and you can probably fix your problem.

Re:Ok.... (1)

wile_e_wonka (934864) | more than 7 years ago | (#19821227)

I could imagine web developers in the position you describe--especially old ones who are used to using IE. They still keep FF on hand to check compatability.

As for myself (I am not a web developer) I have FF installed but don't usually use it--I primarily use Opera.

Affects Firefox for WINDOWS (1)

CrazyKen (1109907) | more than 7 years ago | (#19820369)

Eh... slightly misleading, but TFA states that this only affects Firefox for Windows based on the installation registering the firefoxurl:// handler.

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// [ftp] http:/// [http] or similar would call other applications."

What OS (2, Interesting)

jshriverWVU (810740) | more than 7 years ago | (#19820389)

Every once in a while I see posts about Firefox or IE or whatever with a security flaw that allow remote access or malware/virii to be installed. But they never say what System it affects. Granted for IE it's pretty simple, but once you add firefox into the equation you have to wonder does this effect Linux too? Even so if the bug is in the linux firefox version, does it really matter at a system level, as many sites that might use this bug are going to be geared toward Windows users.

Granted if it's a bug it needs fixed regardless, but I would be more shocked if it said "allows a person to gain remote access on ALL systems running said software".

Re:What OS (5, Insightful)

blhack (921171) | more than 7 years ago | (#19820443)

well...if you read the article you would find that this bug effects Internet Explorer users, not firefox users. The exploit has firefox as a dependency, but is actually called from IE.

Re:What OS (2, Interesting)

Red Flayer (890720) | more than 7 years ago | (#19821077)

The exploit has firefox as a dependency, but is actually called from IE.
So what you're saying is that if you have IE installed on your computer[1], it is a security risk to install Firefox?

Are we *sure* this is a bug, not a "feature"?

Right now, somewhere in Remdond, someone is planning a press release...

[1] By extension, if you are one of the 97.46% of desktop users worldwide with Windows installed.

Re:What OS (3, Informative)

StupiderThanYou (896020) | more than 7 years ago | (#19821151)

well...if you read the article ...
If you who the what now?

Re:What OS (0)

Anonymous Coward | more than 7 years ago | (#19821433)

Bravo sir! Marvellous job! My hat, scarf, gloves, and overcoat are off to you!

Re:What OS (1)

Khuffie (818093) | more than 7 years ago | (#19821645)

This has nothing to do with IE and everything to do with Firefox on windows. Firefox itself registers the "firefoxurl" URI in the Windows Registry, meaning that any application that renders HTML (ie, such as Opera) will popup FIrefox when that handler is invoked.

Re:What OS (0)

Anonymous Coward | more than 7 years ago | (#19821863)

So just remove that registry entry or install the noscript addon.

This is a non-issue.

Re:What OS (0)

Anonymous Coward | more than 7 years ago | (#19820531)

Granted if it's a bug it needs fixed regardless
Right, the best way to do that in my humble opinion is to A) implement the -- "nothing after this is an option" command line option, then B) issue a new release that re-registers firefoxurl:// to use firefox.exe -- [insert url here]

I take that back, that's the second best way, the best way is to admit that this has to be one of the dumbest ideas I've ever heard of, and have the update remove it entirely.

OH SHUT THE MOTHER FUCKING FUCK UP YOU FUCKITYFUCK (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19820607)

SHUT UP!

Re:What OS (3, Interesting)

suv4x4 (956391) | more than 7 years ago | (#19820659)

But they never say what System it affects. Granted for IE it's pretty simple

Is it. Most exploits that would work on XP wouldn't work on Vista in protected mode.

Re:What OS (1)

jshriverWVU (810740) | more than 7 years ago | (#19820735)

Perhaps this is a term difference, but hasn't all versions of Windows from 95 up been running in protected mode? Otherwise how do they get access to larger linear memory mapping versus segmented chunks like the DOS days.

Re:What OS (0)

Anonymous Coward | more than 7 years ago | (#19820849)

Protected mode in this context refers to the sandbox IE7 is run in under Vista, that disallows it or any of exploit in it to write/read from system/user files.

Re:What OS (4, Informative)

GIL_Dude (850471) | more than 7 years ago | (#19820909)

Internet Explorer protected mode in Vista puts IE running at the "low integrity" level meaning it can only access a very limited number of folders (for example the temporary internet files folder). At the low integrity level it is very difficult to actual exploit a machine as you don't have the rights to access much.

Re:What OS (0, Offtopic)

baggins2001 (697667) | more than 7 years ago | (#19821029)

Holly shit, we found the guy running Vista and firefox.

Re:What OS (2, Informative)

stevey (64018) | more than 7 years ago | (#19820921)

You're correct. Protected mode means something different [microsoft.com] in this context.

Nowhere near as much fun as handling triple faults in your assembly code!

Re:What OS (1)

suv4x4 (956391) | more than 7 years ago | (#19821189)

Perhaps this is a term difference, but hasn't all versions of Windows from 95 up been running in protected mode? Otherwise how do they get access to larger linear memory mapping versus segmented chunks like the DOS days.

It's not related to the memory protected mode really, now that I think of it, not very good choice of words on MS part, as it (obviously) could cause confusion.

It's a "low permissions" mode.

Re:What OS (1)

Mundocani (99058) | more than 7 years ago | (#19821103)

I'm running Vista and trying the link in IE just causes Firefox to launch, at which point Firefox puts up the security warning about external applications. Guess it's only XP and earlier that can trigger an unprompted launch.

Re:What OS (1)

bdwebb (985489) | more than 7 years ago | (#19822069)

The problem is that Vista won't run on Vista in protected mode.

Re:What OS (2, Informative)

Anonymous Coward | more than 7 years ago | (#19820691)

"virii" is not a word. It's viruses.

http://en.wikipedia.org/wiki/Virii [wikipedia.org]

Re:What OS (0)

Anonymous Coward | more than 7 years ago | (#19820777)

Virii is NOT a word.

Kdawson... (0)

Anonymous Coward | more than 7 years ago | (#19820401)

Why are you bolding things in a style not normally used on Slashdot?

Re:Kdawson... (4, Funny)

Farmer Tim (530755) | more than 7 years ago | (#19820949)

That's the new text format randomizer , w'hic'h optionall'y add's inap'propriate a'p'o's' t'r'o'p'h'i'es .

It was added a couple of months ago to settle a bet whether Slashdot's editors are better than a random number generator (as yet no winner has been declared).

Re:Kdawson... (1)

StikyPad (445176) | more than 7 years ago | (#19821097)

as yet no winner has been declared

That's only because some newb thinks dupes are evidence of a nonrandom event.

Help the newbies, PLEASE! (0, Troll)

Anonymous Coward | more than 7 years ago | (#19820471)

So this will only hit me if I have Firefox and Internet Explorer installed?

What's Internet Explorer?

Slings and arrows. (-1)

Anonymous Coward | more than 7 years ago | (#19820579)

"First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler."

Don't worry well get those "thousand eyes" right on it.

"Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008."

So whatever happen to "It's done when it's done"?

Doesn't work with Firefox 1.5.x.x (2, Insightful)

Fluffy Bunnies (1055208) | more than 7 years ago | (#19820603)

In case anyone was wondering. Seems like skipping version 2 was a good choice after all.

Free Diease. Now pay for the Cure. (4, Insightful)

BillGatesLoveChild (1046184) | more than 7 years ago | (#19820655)

Firefox hasn't released a fix for this, and there is no mention of it on their web site.

Now this blows:

http://secunia.com/advisories/25984/ [secunia.com]
> Solution:
> Do not browse untrusted sites.
> Disable the "Firefox URL" URI handler.

The first is impractical. The second begs the question, "Sure, How?" Read on:

> Extended Solution:
> The "Extended Solution" section is available for Secunia customers only.
> Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.

So these guys are publishing zero day security flaws, then making you reach for your credit card. Very grubby.

The CNET article doesn't tell you what the fix is either. Google has nothing. Anyone?

Here's how... (5, Informative)

mario_grgic (515333) | more than 7 years ago | (#19820729)

Open Windows Exporer (not Internet Explorer) and from the Tools menu select "Folder Options" menu. On the dialog that appears select the "File Types" tab.

Now in the list of registered file types find the one that says:

"(NONE)" for extension and "Firefox URL" for file type

Select it and click on delete button to delete it.
Click on "OK" to close the "Folder Options" dialog.

Re:Here's how... (1)

BillGatesLoveChild (1046184) | more than 7 years ago | (#19820861)

Thanks very much! Was a little different when I got there, but this seemed to do it: The [Delete] button was greyed out for some reason my PC(!?), so selected it anyway, click [Advanced], [Remove], Sure? [yes]. The entry stays there, but now typeing firefoxurl://slashdot.org in IE says "No Program is associated with this".

Re:Free Diease. Now pay for the Cure. (1)

David_W (35680) | more than 7 years ago | (#19820739)

Disable the "Firefox URL" URI handler.
[This] begs the question, "Sure, How?"

URI handlers are stored under HKCR in the registry. If you rename or remove HKCR\FirefoxURL it should disable the handler. Note that I have no idea what other impact doing that would have.

Re:Free Diease. Now pay for the Cure. (1)

Fluffy Bunnies (1055208) | more than 7 years ago | (#19820747)

Errr, manually remove the entry from Windows registry seems like the obvious way of doing it. What exactly is the problem here? Uninstalling and switching to portable Firefox 2 or Firefox 1.5 would also work...

Re:Free Diease. Now pay for the Cure. (0)

Anonymous Coward | more than 7 years ago | (#19821489)

The second begs the question,
raises [wikipedia.org] the question.

WINDOWS Firefox, how hard is that to type? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19820745)

Once again, another headline just calling it "Firefox" when in reality it is WINDOWS firefox that is to blame. WINDOWS, get it submitter? Grok the diff? Can't type a few extra characters?

I wish some devs would fork the linux version of FF, give it a brand new name, and then go forward and code an open source browser for an open source operating system and not be associated with that WINDOWS application or with the multi billion dollar company Microsoft that can afford to do its own coding, for the people who insist on running that operating system.

    I don't code but I would donate cash to such an effort to make a REAL open source browser for a REAL open source operating system and not stay stuck on being MS's bitch and sucking hind tit all the time.

Let's call a spade a spade, Mozilla as it is run now is a stealth arm of Microsoft corporation at this point. Their main emphasis and drive is creating MS Windows applications.

lol (0)

Anonymous Coward | more than 7 years ago | (#19821001)

Dear Sir,

LOL!

Sincerely,
Me

Re:WINDOWS Firefox, how hard is that to type? (0)

Anonymous Coward | more than 7 years ago | (#19821013)

I would donate cash to such an effort to make a REAL open source browser for a REAL open source operating system and not stay stuck on being MS's bitch and sucking hind tit all the time.


It's called Konqueror. [konqueror.org]

IE problem, but also Firefox problem. (4, Informative)

The MAZZTer (911996) | more than 7 years ago | (#19820751)

Firefox will warn you if a program tries to use other protocols. It will allow you to suppress the warning, however, which can cause the same problem as IE, but at least you can't say you weren't warned. So from this POV, it is IE's problem moreso than Firefox's, especially when it's considered that the URLs can't do anything from WITHIN Firefox, and that (I haven't checked this, just heard it somewhere) the protocol was requested by MS for some Vista compatibility thing or some such nonsense. Not sure if there's anything to that.

However, on the flip side, anyone who implements a protocol needs to be aware any web page can invoke the protocol at will, without the consent of the user (well, thanks to IE's "standards"). This results in being able to do things like this [mzzt.net] . This webpage redirects the browser to steam://open/main, which will open the main Steam window. The user never sees the actual url. This could work with the firefoxurl protocol as well. Here are some other things that can be done [valvesoftware.com] , some of the uglier ones have confirmation screens I believe, but launching a game or connecting to a server does not. Note the first one which promises that it can redirect command line arguments, just like firefoxurl... however I cannot get that to work (I tried -shutdown and it just focused the main window like my current sample does). Also note the hackish steam://openurl/, which is designed to allow Steam's built-in IE browser to invoke the computer's default browser. Theoretically this could be used to bypass a popup blocker.

Of course it would appear that Steam at least can't run arbitrary programs and is limited to it's own folder in terms of effects (I could force you to join my UBER LAME COUNTER STRIKE SERVER but that's about it).

I think both Microsoft and Mozilla need to take steps to fix this problem. Microsoft needs to improve external protocol handling to at least what Firefox does (Firefox could even secure its own handling more, but that might detract too much from the flexibility. Not that that's stopped anybody before). Mozilla should remove this silly firefoxurl bit. I can't think of any legitimate reason for it (anyone have any clue?).

As for Valve with Steam... steam://openurl/ is a bit much I think. It's expected for users who don't know what MSHTML or ActiveX are to think it's a bug that external windows open in IE, but us devs know that, internally, IE is just spawning a new window for a page. Since when were you browsing the web in IE and click on a link and it popped open in Firefox? I wouldn't want that to happen if I preferred IE! (Yeah... firefoxurl is definitely useless.) I mean, can't Valve say that because Steam uses Internet Explorer internally for the Store, all launched webpages will appear in Internet Explorer and there's no way around it? Eh probably not. The technically inclined probably think everything is great now and wouldn't care if anyone told them Valve used a hackish and possibly unsafe solution.

Although at the least they could use a whitelist for urls to use for openurl... IE steampowered.com and whatever other sites they link to... although considering the number of third party games being added it could be a largish list. :(

Perhaps steam could kick the steam:// thing entirely, but the only alternative I can think of is an Internet Explorer BHO (ick, not worth the trouble IMO), unless they can do something fancy with javascript or java or flash or something.

Here's a bonus for reading all this: You can see what available protocols Windows / Internet Explorer can use (Firefox too, although it has its own extras like about: and data:) by checking HKEY_CLASSES_ROOT in regedit. Search for Values with the exact name of "URL Protocol" and the keys you find (or maybe it's in the default value?) are the protocol names. With a look it can be easy to figure out how to make your own, even, as they work just like file associations do, just remember that %1 is the ENTIRE URL, including the protocol.

I just found that Adobe Acrobat Reader registers acrobat://. I also got aim:// from Trillian... callto://, a built-in Windows handler... cclaunch://, which fires up CCleaner... (whee! Let's clean up! [cclaunch] ) cvs:// by whatever program put that one in, deusex://, probably for multiplayer servers, etc etc.

Opera (0)

Anonymous Coward | more than 7 years ago | (#19820765)

Got another reason to love Opera..I used it as my main browser cus i i just find firefox too slow to startup compared to opera and the page rendering is slower too. Plus opera comes with everything I need out of the box: adblock, mouse gesture, password wand, and fast forwarding backwarding. By the way, opera looks somehow whacked up when installed on my ubuntu feisty.. must be the font or something????

Re:Opera (0)

Anonymous Coward | more than 7 years ago | (#19820809)

I hope you're getting paid for that.

Re:Opera (2, Interesting)

wile_e_wonka (934864) | more than 7 years ago | (#19821291)

I'm not sure this wouldn't work on Opera if written specificaly for it (which does still reveal a benefit of Opera--people don't usually think to write code exploiting Opera. It just isn't economical to do so). The reason I say this is because, when I click on the link above, Opera asks if it can open FF. This does not end up being detrimental because then I just end up with FF asking me if it can open FF (instead of asking to open cmd.exe). However, if the exploit were written for Opera, then I imagine Opera would have asked me if it could open cmd.exe instead of FF. With all the people out there who just click "ok" to everything that pops up on their computer (i.e., my wife, despite my attempts to teach her otherwise), this could be a workable exploit.

As for Opera on Feisty--it looks ok to me. The font is different from that in Windows but nothing "whacked up."

Requires firefox to exploit from IE (2, Insightful)

Heathhunnicutt-enwik (1126439) | more than 7 years ago | (#19820835)

The fact is that the URI handler firefoxurl:// is installed by.... Firefox.

In other words, IE is redirecting to the firefoxurl DLL or EXE installed by Firefox, and that is the code which is executing user input without warning.

To me it seems disingenuous to blame the IE implementation for handing control to the Firefox protocol handler, which is treated like a shell plug-in. It seems the responsibility to prompt the user should rest on the protocol handler. Otherwise, IE would be expected to prompt on the execution of any protocol handler that was unknown at the time that IE shipped, or some such "prompting heuristic." This would be inconvenient and also subjected to ridicule on /.

Re:Requires firefox to exploit from IE (0)

Anonymous Coward | more than 7 years ago | (#19822049)

No, blame BOTH:

From TFA:

"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm, in response to a reader's comments. "I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications."

Workaround (1)

jondaman21 (686607) | more than 7 years ago | (#19820877)

Apparently, the NoScript firefox plugin solves this problem (or so they claim at the website: http://noscript.net/ [noscript.net] ).
So this will serve as a workaround for those who wanted one.

AH! (1)

biggerboy (512438) | more than 7 years ago | (#19820903)

I knew there was a reason to use Safari :-)

Re:AH! (0)

Anonymous Coward | more than 7 years ago | (#19820941)

You should have said that 1 week earlier.

What's a quickie? (0, Troll)

iminplaya (723125) | more than 7 years ago | (#19821009)

Same as in town, fifty bucks

What earthly use is "firefoxurl" anyway?! (2, Informative)

_xeno_ (155264) | more than 7 years ago | (#19821059)

After reading about "firefoxurl" and what it does, I only have one simple question: what on earth were they thinking when they implemented it? What's it supposed to be useful for?

As far as I can tell, the only use it could possibly have is creating desktop URLs that always open in Firefox, however there's no reason why they would have to create a URL handler to do that. Otherwise, it's completely worthless and, as discovered, a security risk, to boot.

For added fun, attempting to use a "firefoxurl" URL while Firefox is already running creates an infinite loop. (It just keeps on asking you to allow an "external application" to launch. It doesn't even seem to actually work. I get the same results when launching it directly from IE through the address bar.)

Why was this implemented? What was it supposed to do?

And, for bonus points, is it possible to write a firefoxurl that, when opened in IE, would unregister the firefoxurl handler?

Re:What earthly use is "firefoxurl" anyway?! (1)

schweini (607711) | more than 7 years ago | (#19821169)

Without actually looking it up, I'd guess this feature is useful for example if you develop XUL-based applications and the like. You could then link to the XUL application on your website, and IE (if you're using it to browse the site) would open the application in FF.

Re:What earthly use is "firefoxurl" anyway?! (5, Informative)

_xeno_ (155264) | more than 7 years ago | (#19821347)

Except that's still retarded, since it's by definition a remotely executable code exploit. URLs don't have to be loaded by users, and in some cases, can even be loaded without any user interaction. (<meta http-equiv="Refresh"> comes to mind, although I haven't gotten the exploit to work on my system yet).

XUL applications have access to basically everything on the system. You know how you can launch files from the Firefox's Downloads window? There's nothing that prevents a skeleton XUL application from downloading a EXE and then launching it with no user interaction. The dialog that Firefox displays when launching executables is handled by the download dialog, there's nothing that requires it be displayed. (I've written an extension that launched a Windows Control Panel applet before, trust me that there's nothing really preventing XUL applications from being nasty.)

So I'm still left wondering, what was this intended for, and who thought it was a good idea?

From TFA... (1)

Farfnagel (898722) | more than 7 years ago | (#19821135)

..."most Firefox users will also have IE loaded on their computers, since it comes with the Windows operating system." So this isn't a vulnerability unless you're running Windows. Gotcha!

Firefox's Fault? (3, Interesting)

DavidD_CA (750156) | more than 7 years ago | (#19821419)

Here's the meat of the article:

Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp:// [ftp] http:/// [http] or similar would call other applications."

But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.

An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.


I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?

If Windows/IE were to filter what can and cannot happen through URI handlers, I could see developers crying foul for preventing access and locking out competition.

Further, is the onus now on Microsoft to fix a hole created by Firefox? And once they fix it, and legit things break because of it, who's fault will that be?

Re:Firefox's Fault? (1)

Vexorian (959249) | more than 7 years ago | (#19821695)

I interpret that as saying that the Firefox installer messed with Windows and Internet Explorer, opening a hole. Is Window/IE really to blame when another application adds "features" that end up being holes?
hmm, hell yeah? Why allow such things like letting an installer create a whole protocol anyways ? It looks like the whole idea of letting that happen is pretty lame...

Re:Firefox's Fault? (1)

DavidD_CA (750156) | more than 7 years ago | (#19821781)

Here's why:

http://en.wikipedia.org/wiki/URI_scheme [wikipedia.org]

Apparently a Firefox developer thought it was a good idea, too.

Does it allow extended priviliges (1)

baggins2001 (697667) | more than 7 years ago | (#19821671)

Does this exploit create the ability to extend privliges beyond those that the user logged in has?

Re:Does it allow extended priviliges (1)

Kalriath (849904) | more than 7 years ago | (#19821955)

No.

I read the headline.... (1)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19821949)

And thought, first my girlfriend, now firefox. I'll see a doctor about it, just stop complaining. You're just giving me performance anxiety.

Highlighting phishing sites is nice, but weak (4, Interesting)

Animats (122034) | more than 7 years ago | (#19821985)

Just highlighting domains of phishing sites isn't going to be enough. Here's today's list of domains that "sort of look like Paypal". These are after subdomain truncation.
"paypal-checker.com"
"paypal-contact.net"
"paypal-customize.com"
"paypal-erreur2.com"
"paypal-security.com"
"paypal-web-dll-scrnupdateaccount.ici.st"
"paypal-web-scrn-dll-pl-dai-pl-webscrndllfs-wertyu i.ork.pl"
"paypal.powered.at"
"paypal.q.fm"
"paypalaccverify.com"
"paypalcomcgibinwebscrcmd.by.ru"
"paypalcomcgibinwebscrcmm.by.ru"
"paypalcomcgibinwebscre.by.ru"
"paypalconstomers.com"
"paypalct.com"
"paypall.ro"
"paypalmd.com"
"paypalobjects.us"
"paypalsecuritycenter.org"
"paypalverification.org"
"paypel-acc-5.com"
"paypilpal.com"
"paypll-wscr.com"
"paypluspl.com"

These are from PhishTank, which blacklists at the URL level based on manual reports. For SiteTruth" [sitetruth.com] , we're in the process of converting to blacklisting phishing sites by the entire base domain. That's because we now see hundreds of entries like "session-624333.nationalcity.com.userpro.tw", which has to be treated as a bad indicator for all of "userpro.tw".

There's collateral damage. There are days when "tinyurl.com" and "notlong.com" get blacklisted, because phishing sites use them. MSN gets complaints about this. [msdn.com] Today, anybody running something like "tinyurl" needs to continually check the phishing databases for attempts to abuse their service, or their own reputation is toast.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?