Tech Center Current

If you’ve been closely following the world of software security, especially in relation to web browsers, you’ve probably heard about a recent URI handling problem found in Microsoft Internet Explorer and Mozilla Firefox which could allow a website to execute malicious code on your computer. There has been a lot of confusion about this issue, and even some major technology news sites have misunderstood the situation. I will attempt to clarify the issue here.

First, it was discovered that Internet Explorer had a flaw in the way it allowed other programs to be launched from web links. Programs like e-mail applications, instant messengers, and media players often reserve certain URI schemes like “mailto:”, “aim:”, and “mms:” for their use. When you click on a link with a reserved URI scheme, the web browser will launch the appropriate program using an internal command format like the following: outlook "mailto:someone@example.com".

The problem is when certain characters are used in the URI which cannot safely be plopped as-is into that command format. For example, if there is a quotation mark and a space in the URI, that might look something like: outlook "mailto:some" one@example.com". So one of Outlook’s command parameters is the first quoted section ("mailto:some") and the rest of the URI would be treated as a separate parameter, possibly triggering an unsafe program function which is only supposed to be available to the local user. By crafting the link URI a certain way, a website could send a program special instructions resulting in remote code execution — the most dangerous kind of security vulnerability.

The proper way a web browser should handle these situations is to use something called URI encoding. This is a process by which special characters like quotation marks and spaces are replaced with safe identifiers which represent those characters. A space would be converted into “%20”, and a quotation mark would be converted into “%22”. So the Outlook example above would become outlook "mailto:some%22%20one@example.com" which runs no risk of executing arbitrary parameters.

When this vulnerability was discovered in Internet Explorer, Firefox was the first program in which the researchers saw that these arbitrary parameters could cause harm. However, it was by no means a Firefox-specific issue. Internet Explorer’s incorrect URI delivery has also been shown to affect dozens of other Windows programs, including Trillian, Adobe Reader, Outlook, AOL Instant Messenger, Windows Media Player, and Skype. Depending on what levels of operation the programs allow from their parameters (which are generally assumed to be safely supplied and thus trusted by the program), some programs face a more serious impact from Internet Explorer’s vulnerability than others. Firefox and Trillian are two programs of which security research company Secunia decided to specifically make note. Firefox has had far more media attention than any other program affected by this issue, but it’s Internet Explorer which is allowing websites to essentially have user-level access to your programs.

Mozilla recently released a Firefox update which prevents it from being exploited by Internet Explorer in this way, but other programs are still at risk of being exploited as long as Internet Explorer has this vulnerability. Microsoft has stated that they do not plan to fix it, although they’ve been known to change their minds on these issues as media pressure escalates.

After Mozilla patched Firefox to guard against the Internet Explorer vulnerability, it was discovered that Firefox has a similar vulnerability to the one that Internet Explorer has: Firefox may mistakenly pass programs URI parameters without encoding the quotation marks properly. As of this moment, Mozilla has already developed a fix and will release a Firefox update shortly.

Many news articles have misrepresented this situation in a number of ways. Some have claimed that both of these problems were specifically Firefox vulnerabilities. Some have claimed that Mozilla released a fix that didn’t actually fix anything. Some have claimed that Mozilla initially blamed the first issue on Microsoft and then later retracted that accusation and admitted to being responsible for the entire issue. These claims are false, and were largely due to the writers misunderstanding the situation as it has developed.

The real situation is that Internet Explorer and Firefox both have a flaw which allows websites some user-level access to various programs on your computer. Firefox has been updated to protect itself from Internet Explorer’s flaw, and Firefox will soon be updated to fix its own flaw. Microsoft has stated that it will not fix the flaw in Internet Explorer, which means that browsing in Internet Explorer could result in your system being compromised.