copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


AL-2007.0084 -- [Win] -- Mozilla Firefox URL protocol handling vulnerability

Date: 12 July 2007
References: AU-2007.0018  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2007.0084 -- AUSCERT ALERT
            Mozilla Firefox URL protocol handling vulnerability
                               12 July 2007


        AusCERT Alert Summary

Product:              Firefox and prior
Publisher:            US-CERT
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#358017
Mozilla Firefox URL protocol handling vulnerability


        Mozilla Firefox protocol handlers may allow remotely supplied
        JavaScript to execute with elevated privileges. This may allow a
        remote, unauthenticated attacker to execute arbitrary code on a
        vulnerable system.

I. Description

        Mozilla Firefox installs protocol handlers for Mozilla-specific
        protocols, such as the FirefoxURL and FirefoxHTML protocols. If
        Microsoft Windows encounters a URL protocol it cannot handle natively
        it searches the Windows registry for the appropriate protocol handler.
        When the correct protocol handler is found, Windows passes it the URL
        string. By design Windows passes the URL string to the protocol
        handler as it was received without performing any sanitization.

        Mozilla Firefox URL protocol handlers are constructed in a way that
        may allow a remote attacker to execute arbitrary JavaScript with
        elevated (chrome) privileges. Mozilla Firefox security restrictions
        detect and prevent the execution of such JavaScript. However, if a
        remote attacker can persuade a user with Firefox installed to access
        a specially crafted web page using Internet Explorer, and perhaps
        other Windows applications, the malicious JavaScript will be
        executed. Reports claim this vulnerability is introduced when
        Firefox versions and later are installed.

        Exploit code is publicly available for this vulnerability.

II. Impact

        This vulnerability may allow a remote, unauthenticated attacker to
        execute JavaScript with elevated (chrome) privileges. This
        essentially means that the attacker can execute arbitrary code with
        the privileges of the user.

III. Solution

        We are unaware of a practical solution to this problem. Until a
        solution is available the following workaround may prevent known
        exploits from working:

        Unregister the Firefox protocols

        Disabling the Mozilla Firefox protocol handlers will mitigate this
        vulnerability. To unregister the protocol handlers, delete or rename
        the following registry keys:


        Modifying the Windows registry may have unintended consequences and
        should be done with care.

Systems Affected

        Vendor                  Status    Date Updated
        Microsoft Corporation   Unknown   10-Jul-2007
        Mozilla                 Unknown   11-Jul-2007



        This vulnerability was publicly disclosed by Thor Larholm.

        This document was written by Jeff Gennari.

Other Information

        Date Public             07/10/2007
        Date First Published    07/11/2007 10:53:35 AM
        Date Last Updated       07/11/2007
        CERT Advisory
        CVE Name
        Metric                  19.69
        Document Revision       57

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.