Mozilla Foundation Security Advisory 2008-35

Command-line URLs launch multiple tabs when Firefox not running

Announced
July 15, 2008
Reporter
Billy Rios, Ben Turner, Dan Veditz
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 2.0.0.16
  • Firefox 3.0.1

Description

Security researcher Billy Rios reported that if Firefox is not already running, passing it a command-line URI with pipe ("|") symbols will open multiple tabs. This URI splitting could be used to launch chrome: URIs from the command-line, a partial bypass of the fix for MFSA 2005-53 which was intended to block external applications from loading such URIs (that vulnerability remains fixed, however).

This vulnerability could also be used by an attacker to pass URIs to Firefox that would normally be handled by a vector application by appending it to a URI not handled by the vector application. For example, web browsers normally handle file: URIs themselves, or block them from web content altogether, but this flaw enabled attackers to pass them from another browser into Firefox. In Firefox 2 scripts running from file: URIs can read data from a user's entire disk, a risk if the attacker could first place a malicious file in a guessable location on the local disk. Rios demonstrated that the so-called "Safari Carpet-bombing vulnerability" could be used for this, as well as another technique that does not rely on that now-fixed Safari vulnerability.

In Firefox 3 scripts running in local files have limited access to other files, almost entirely mitigating the file: attack. However, combined with a vulnerability which allows an attacker to inject script into a chrome document the above issue could be used to run arbitrary code on a victim's computer. Such a chrome injection vulnerability was discovered in Firefox 3 by Mozilla developers Ben Turner and Dan Veditz. In the absence of the attack described by Billy Rios this injection attack would not run with any special privilege and would be at best a spoofing vulnerability.

Workaround

This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

References

Bug details embargoed until after the upgrade period