Remote code execution by launching Firefox from Internet Explorer
- July 17, 2007
- Greg MacManus and Billy Rios
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 18.104.22.168
- SeaMonkey 1.1.4
- Thunderbird 22.214.171.124
- Thunderbird 126.96.36.199
Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol.
The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a "-chrome" option that could be used to run malware.
Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer.
Mozilla highly recommends using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer.