Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW! This example shows flaws in Firefox, Netscape, and Mozilla browsers… other browsers are affected by related vulnerabilities.
Check out his Proof of Concept. I tried it, yes it works. No update/patch for this. NoScript won't protect you. You can only UNREGISTER ALL UNNECESSARY URIs. :-(
Open Firefox and type 'about:config' in the location bar. Put 'network.protocol-handler.external' in the filter and put the unused URI to false.
If you need those URIs and don't want to unregister them, you can at least ask for an user confirmation by changing some settings. Put 'network.protocol-handler.warn' in the filter and set them all to true.
Test it by using the proof of concept above.
Bonus: Hey, Mozilla: Quotes Are Not Legal in a URL
Update: NoScript 1.1.6.06 (released yesterday) gives early protection against this exploit for those stuck with stable 2.0.0.5. There is a 2.0.0.6 which fixes this but it's not (officially) released yet.
Thursday
Firefox 0-day exploit: Remote Command Exec
Subscribe to:
Post Comments (Atom)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment