Concerns Force Mozilla Into Finally Fixing Their 9-month-old Firefox Bug

[Detomah]

Flaw found in February, but ignored until it was deployed in Gmail hack.

Mozilla Corp. will patch Firefox against a nine-month-old protocol handler bug, its chief security executive announced Friday, after researchers demonstrated that the vulnerability was more serious than first thought.

The bug is another Uniform Resource Identifier (URI) protocol handler flaw, and the news of an impending fix comes on the heels of Microsoft patching Windows to repair problems in the handlers it registers. Protocol handlers -- "mailto:" is among the most familiar -- let browsers launch other programs such as an e-mail client through commands embedded in a URL.

But Firefox's jar: protocol handler (the ".jar" extension stands for Java ARchive, a ZIP-style compression format) does not check that the files it calls are really in that format. Attackers can exploit the flaw by uploading any content -- malicious code, for example, or a malformed Office document -- to a Web site, then entice users to that site and its content with a link that includes the jar: protocol. Because the content executes in the security context of the hosting site, if that site (eg., a commercial photo sharing service) is trusted, then the malicious code runs as trusted within the browser too.

This cross-site scripting vulnerability was discovered in February by Jesse Ruderman, and reported to Mozilla's Bugzilla database early that month. But not until after other researchers picked up the scent this month did Mozilla roll into action.

A week and a half ago, Petko Petkov, a prolific researcher based in the U.K., noted that any application which allows uploading of jar or ZIP files is vulnerable to cross-site scripting attacks. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document sharing systems, almost everything that smells like Web 2.0," Petkov said in a Nov. 7 post.

Three days later, a researcher known as "Beford" cranked out a proof-of-concept exploit that paired the jar: vulnerability with an open redirect bug in Google's Gmail, and showed how they let him access another user's contacts. Like Petkov, Beford said the bug was a serious problem. "I think it's a big issue, and the fact that it has been on Bugzilla for way more than ten f***ing days is not a good thing." Beford's mention of ten days was a reference to a comment made last summer by Mozilla's Mike Shaver, director of ecosystem development, that Mozilla fixed flaws within that time.

Snyder noted that the jar: protocol handler bug was, in fact, two slightly different vulnerabilities, and that the company was tracking them as such. "There is a second issue that if a zip [jar] archive is loaded from a site through a redirect, Firefox uses the context from the initiating site," she said.

"This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site." According to Mozilla's bug-management database, this second issue -- Beford's variant -- is considered the more dangerous of the pair; Bugzilla lists it severity as "major," compared with "normal" for the original cross-site scripting vulnerability uncovered in February by Ruderman.

Both bugs will be patched soon. "This will be addressed in Firefox 2.0.0.10, which is currently in testing," Snyder said in a Friday entry on Mozilla's security blog.

Until Mozilla patches the browser, users can block jar:-based cross-site scripting attacks with the newest version of NoScript, a plug-in created by Italian developer Giorgio Maone, and one that regularly ranks among the most popular Firefox extensions. "NoScript will prevent remote JAR resources from being loaded as documents, neutralizing the XSS [cross-site scripting] dangers of the jar: protocol while keeping its functionality," said Maone on his personal blog last week.

Snyder didn't explain why the vulnerability wasn't addressed in the months since Ruderman's discovery, but the bug's activity log shows that after being assigned to one developer in late February, it was bounced to another in July; its fix deadline was also bumped several times, from an alpha of Firefox 3.0 to the first beta to the second beta to, finally in October, a post-beta 2 version of Firefox 3.0 designated only as M10.

On Nov. 7 -- the day Petkov posted his first analysis of the jar: protocol handler vulnerability -- work shifted into high gear, and by last Thursday, fixes had been made to both bugs that comprise the vulnerability, the log revealed.

Mozilla was not available Sunday for comment.

This is the not the first URI protocol handler vulnerability that Mozilla's fixed in Firefox. Starting in July, it patched the browser several times to quash problems in the firefoxurl: protocol handler. At the time, a tit-for-tat spat between backers of Firefox and Microsoft Internet Explorer developed over who was responsible for crafting repairs. In October, Microsoft owned up to patching protocol handlers it registers, but said that third-party application developers still had to fix bugs in any handlers they registered.

Microsoft issued a fix for its Windows XP and Windows Server 2003 protocol handler bug last Tuesday as part of the November security update.