IE7 Cross-Browser Scripting Exploit Goes Zero Day
Vulnerability affects users with IE and Firefox.
Since its debut, Internet Explorer (IE) 7.0 has arguably established
as Microsoft Corp.'s most secure Web browser to date. To be sure,
has dutifully included IE 7.0 patches
in its Internet Explorer patch roll-ups — but at the very least,
Microsoft's newest IE flavor hasn't fallen prey to any of the
exploits that have so bedeviled Internet Explorer in the past.
this week, however, a security researcher alerted Internet Explorer
(and Microsoft itself) to a new input validation vulnerability in IE
Thor Larholm, a Danish security consultant and entrepreneur,
yesterday published details — complete with exploit code — about the
7.0 flaw, comparing it to a similar issue that he discovered in Apple
Safari 3.0 browser beta.
There's a caveat: for Internet Explorer to
actually be vulnerable, the Firefox browser from Mozilla must also be
installed. That's because Firefox registers a URL handler called
"FirefoxURL," which basically gives it — and other applications — a
to invoke Firefox from the Windows shell.
The problem, Larholm says,
is that when IE encounters the FirefoxURL handler, it calls ShellExecute
with the EXE image path and processes the entire request without
input validation. In other words, he points out, IE will pass any
ShellExecute — even potentially unsafe or malicious
"As can be evidenced it is possible to [pass] arbitrary
arguments to the 'firefox.exe' process. This is where the '-chrome'
line argument comes in handy, as it allows us to specify arbitrary
Chrome content," writes Larholm on his blog. "For this exploit I have chosen to demonstrate
you can specify process arguments with the nsIProcess interface found in
Larholm isn't the first researcher to note some of the
shortcomings of the FirefoxURL handler. Security researchers Billy Rios,
Nate Mcfeters and Raghav Dube had previously published proof-of-concept code for a cross-browser scripting exploit. Because
Internet Explorer passes the FirefoxURL parameters directly to Firefox,
without first performing any validation, Rios, McFeters and Dube were
Nor is IE the only browser vulnerable to this exploit; theoretically,
browser that runs under Windows is susceptible.
So, is the flaw an IE
or Firefix flaw? To a degree, both programs are at fault, Larholm says:
"Firefox is the current attack vector ... but IE should still be able to
safely launch external applications safely," he wrote in response to
comments on his blog.
Larholm also noted that other URL handlers —
such as those for Internet relay chat (irc://) and AOL Instant Messenger
(aim://) could be vulnerable, too. "Internet Explorer doesn't filter the
input for the irc:// or aim:// URL protocol handlers either. The
exploitability on those depend on what arguments each application
Larholm provides a working proof-of-concept of the
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.