You are here: Known Vulnerabilities in Mozilla Products (Firefox 2.0.0.5) > MFSA 2007-23

Mozilla Foundation Security Advisory 2007-23

Title: Remote code execution by launching Firefox from Internet Explorer
Impact: Critical
Announced: July 17, 2007
Reporter: Greg MacManus and Billy Rios
Products: Firefox and Thunderbird

Fixed in: Firefox 2.0.0.5
  Thunderbird 2.0.0.5
  Thunderbird 1.5.0.13
  SeaMonkey 1.1.4

Description

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. Firefox and Thunderbird are among those which can be launched, and both support a "-chrome" option that could be used to run malware.

Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer.

Workaround

Mozilla highly recommends using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer.

References