search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Mozilla Firefox insecurely handles content from external applications

Vulnerability Note VU#996798

Original Release Date: 2005-08-02 | Last Revised: 2005-08-15

Overview

Mozilla Firefox does not properly enforce domain restrictions on content sent by external applications, allowing a remote attacker to execute code on a vulnerable system.

Description

Mozilla Firefox can accept links from external applications, such as Flash and Quicktime. When such an application attempts to open a link, it is sent to the default web browser. The default configuration for Firefox is to open links from other applications in the most recent tab or window. When Firefox receives a javascript: URI from an external application, it will execute within the security context of the page currently displayed by the browser, thus creating a cross-domain violation.

If Firefox is displaying a privileged chrome: URI, then the external application could cause Firefox to execute arbitrary code.

For more information, please refer to Mozilla Foundation Security Advisory 2005-53. This vulnerability affects Firefox versions prior to 1.0.5 and Netscape 8 versions prior to 8.0.3.1. Other web browsers based on Mozilla Firefox may also be affected.

Impact

By convincing a user to open a specially crafted media file, an attacker may be able to execute arbitrary code on a vulnerable system. Other applications that have the ability to send URIs to Firefox may also be used to trigger the vulnerability. Additional impacts are similar to cross-site scripting attacks, as described in CERT Advisory CA-2000-02.

Solution

Upgrade
This vulnerability is addressed in Firefox 1.0.5 and Netscape 8.0.3.1 and later.


According to Mozilla Foundation Security Advisory 2005-53, the following workaround will mitigate this vulnerability.

Set the browser to open external links in a new tab or new window.

    1. Open the Options dialog from the Tools menu
    2. Select the Advanced icon in the left panel
    3. Open the "Tabbed Browsing" group
    4. Set "Open links from other applications in:" to either new tab or new window

    Netscape 8 is configured by default to open external links in new tabs, which prevents exploitation of this vulnerability.

    Vendor Information

    996798
    Expand all

    Mozilla, Inc.

    Updated:  August 02, 2005

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Please see http://www.mozilla.org/security/announce/mfsa2005-53.html.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Netscape Communications Corporation

    Updated:  August 02, 2005

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The default configuration of Netscape 8 is to open an external URI in a new tab. So although Netscape 8 contains the vulnerability, the default configuration prevents exploitation of it.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Red Hat Software, Inc.

    Updated:  August 15, 2005

    Status

      Vulnerable

    Vendor Statement

    Updated Mozilla packages (for Red Hat Enterprise Linux 4, 3, and 2.1) and updated Firefox and packages (for Red Hat Enterprise Linux 4) to correct this issue are available at the URL below and by using the Red Hat Network 'up2date' tool.

    http://rhn.redhat.com/errata/CAN-2005-2267.html

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    This vulnerability was reported in Mozilla Foundation Security Advisory 2005-53 . Mozilla credits Michael Krax for providing information regarding this issue.

    This document was written by Jeff Gennari and Will Dormann.

    Other Information

    CVE IDs: CVE-2005-2267
    Severity Metric: 8.02
    Date Public: 2005-07-13
    Date First Published: 2005-08-02
    Date Last Updated: 2005-08-15 12:50 UTC
    Document Revision: 48

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.