Mozilla Foundation Security Advisory 2007-23

Remote code execution by launching Firefox from Internet Explorer

Announced
July 17, 2007
Reporter
Greg MacManus and Billy Rios
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 2.0.0.5
  • SeaMonkey 1.1.4
  • Thunderbird 1.5.0.13
  • Thunderbird 2.0.0.5

Description

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a "-chrome" option that could be used to run malware.

Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer.

Workaround

Mozilla highly recommends using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer.

References