View Full Version : Multiple Browsers 0-day vulns

2007-07-10, 21:41

> http://secunia.com/advisories/25984/
Release Date: 2007-07-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 2.0.x ...
The vulnerability is confirmed in Firefox version on a fully patched Windows XP SP2. Other versions may also be affected.
- Do not browse untrusted sites.
- Disable the "Firefox URL" URI handler...
Original Advisory:

>>> http://larholm.com/2007/07/10/internet-explorer-0day-exploit/ ..."

> http://secunia.com/advisories/25990/
Release Date: 2007-07-10
Critical: Less critical
Impact: Spoofing, Exposure of sensitive information
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 2.0.x ...
Solution: Do not browse untrusted web sites.
Provided and/or discovered by: Michal Zalewski ...


2007-07-10, 22:19

- http://isc.sans.org/diary.html?storyid=3121
Last Updated: 2007-07-10 19:59:27 UTC - "...So where does IE come into play against Firefox ?
Firefox seems to prevent access to the command line, but IE happily calls the URL handler and as such provides a path to the command line via the handler installed by Firefox. As a result the IE user on a machine that has Firefox installed is at risk. A workaround is to remove the URL handlers installed by Firefox from the registry. I'm sure the developers of Firefox can undo the damage done to systems in a next patch. This however goes to show that even unused but installed client programs might be a threat on your client system. Hence you need to take care of vulnerabilties in software that you don't even use..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3550
Last revised: 7/5/2007
Base score: 7.8 (High)
Impact Subscore: 6.9
Exploitability Subscore: 10.0
Range: Network exploitable
Authentication: Not required to exploit
Impact Type: Allows disruption of service

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3670


2007-07-11, 21:58
Exploit published:

- http://atlas.arbor.net/briefs/index#376231277
July 10, 2007 - "...We have not seen this issue attacked in the wild, although detailed instructions on how to do so have been published."


2007-07-12, 15:52

- http://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/
10 July 2007 - "... -Any- Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability. The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox... Mozilla believes in defense in depth and will be patching Firefox in the upcoming release to mitigate the problem. This will prevent IE from sending Firefox malicious data. Other Windows programs may also be vulnerable to bad data being passed from IE..."

- http://wiki.mozilla.org/WeeklyUpdates/2007-07-09#Fx.2FTB_1.
2007-07-09 - "...targeting 7/31 for release date..."

> http://forums.spybot.info/showthread.php?t=16129


2007-07-26, 18:37

- http://preview.tinyurl.com/25dtqf
July 23, 2007 - (Mozilla Security Blog) - "...While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application. We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in We believe that defense in depth is the best way to protect people, so we’re investigating it now... For more information:
https://bugzilla.mozilla.org/show_bug.cgi?id=389106 ...
Bug 389106 – firefox may not escape quotes everywhere
Modified: 2007-07-25 ..."

Firefox exploit published
- http://preview.tinyurl.com/2yhuwk
July 25, 2007 - (InfoWorld) - "... Mozilla is planning to fix this issue in the upcoming release of its browser. Snyder did not say when..."


2007-07-28, 00:01

Microsoft Windows URI Protocol Handling Vulnerability
- http://www.us-cert.gov/current/#microsoft_windows_uri_protocol_handling
added July 27, 2007 - " US-CERT is aware of a vulnerability in the way Microsoft Windows determines how to handle URIs, which may be be leveraged by a remote attacker to execute arbitrary commands on an affected system. Public reports demonstrate that Mozilla Firefox can be used to pass malicious URIs to Windows, but other applications may also act as attack vectors for this vulnerability. More information regarding this vulnerability can be found in Vulnerability Note VU#403150*."
* http://www.kb.cert.org/vuls/id/403150


Mozilla Firefox URI Sanitization Vulnerability
- http://www.us-cert.gov/current/#multiple_web_browsers_uri_sanitization
updated July 27, 2007 - "US-CERT is aware of a vulnerability (VU#783400**) in the way Mozilla Firefox passes URIs to registered protocol handlers in Microsoft Windows. Due to a separate vulnerability (VU#403150*) in the way Windows determines how to execute URIs, Firefox could be used as an attack vector to execute arbitrary commands."
** http://www.kb.cert.org/vuls/id/783400


- http://blog.ceruleanstudios.com/?cat=7
"...You can thank the three geniuses behind the vulnerability report for their professionalism (read: none) in reporting this vulnerability to the vendor before public disclosure. To the rest of #hack: we’re happy to responsibly fix vulnerabilities as they’re found, but would appreciate some advance notice."

2007-07-30, 22:20

- http://wiki.mozilla.org/WeeklyUpdates/2007-07-30#Fx.2FTB_1.
"...We are shipping Firefox tonight..."