In-Depth

IE7 Cross-Browser Scripting Exploit Goes Zero Day

Vulnerability affects users with IE and Firefox.

Since its debut, Internet Explorer (IE) 7.0 has arguably established itself as Microsoft Corp.'s most secure Web browser to date. To be sure, Redmond has dutifully included IE 7.0 patches in its Internet Explorer patch roll-ups — but at the very least, Microsoft's newest IE flavor hasn't fallen prey to any of the blockbuster exploits that have so bedeviled Internet Explorer in the past.

Just this week, however, a security researcher alerted Internet Explorer users (and Microsoft itself) to a new input validation vulnerability in IE 7.0.

Thor Larholm, a Danish security consultant and entrepreneur, yesterday published details — complete with exploit code — about the IE 7.0 flaw, comparing it to a similar issue that he discovered in Apple Inc.'s Safari 3.0 browser beta.

There's a caveat: for Internet Explorer to actually be vulnerable, the Firefox browser from Mozilla must also be installed. That's because Firefox registers a URL handler called "FirefoxURL," which basically gives it — and other applications — a means to invoke Firefox from the Windows shell.

The problem, Larholm says, is that when IE encounters the FirefoxURL handler, it calls ShellExecute with the EXE image path and processes the entire request  without any input validation. In other words, he points out, IE will pass any command to ShellExecute — even potentially unsafe or malicious instructions.

"As can be evidenced it is possible to [pass] arbitrary arguments to the 'firefox.exe' process. This is where the '-chrome' command line argument comes in handy, as it allows us to specify arbitrary Javascript code which is then executed within the privileges of trusted Chrome content," writes Larholm on his blog. "For this exploit I have chosen to demonstrate how you can specify process arguments with the nsIProcess interface found in Mozilla."

Larholm isn't the first researcher to note some of the shortcomings of the FirefoxURL handler. Security researchers Billy Rios, Nate Mcfeters and Raghav Dube had previously published proof-of-concept code for a cross-browser scripting exploit. Because Internet Explorer passes the FirefoxURL parameters directly to Firefox, without first performing any validation, Rios, McFeters and Dube were able to use IE to invoke Firefox and have it launch arbitrary JavaScript code. Nor is IE the only browser vulnerable to this exploit; theoretically, any browser that runs under Windows is susceptible.

So, is the flaw an IE or Firefix flaw? To a degree, both programs are at fault, Larholm says: "Firefox is the current attack vector ... but IE should still be able to safely launch external applications safely," he wrote in response to user comments on his blog.

Larholm also noted that other URL handlers — such as those for Internet relay chat (irc://) and AOL Instant Messenger (aim://) could be vulnerable, too. "Internet Explorer doesn't filter the input for the irc:// or aim:// URL protocol handlers either. The exploitability on those depend on what arguments each application accepts," he indicates.

Larholm provides a working proof-of-concept of the exploit here.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube