Browser blame game continues over Windows zero-day flaw

As confusion continues over who is responsible for a zero-day Windows vulnerability -- Microsoft or Mozilla -- the former said it sees no need to patch Internet Explorer (IE) while the latter promised to fix Firefox, even though it blames its rival for the problem.

On Tuesday, researchers started arguing over a bug that allows attacks against IE users -- but only those who also have Firefox installed on their PCs. Thor Larholm pinned the blame on IE, and said that while Firefox registers the FirefoxURL protocol used in the proof-of-concept exploits, Mozilla's browser was an innocent bystander.

"There is an input validation flaw in Internet Explorer," said Larholm. Specifically, he said that IE fails to escape quotation marks, as well as other characters, such as commas.

"Internet Explorer is to blame for not escaping 'quote' characters when passing on the input to the command line," Larholm said later Tuesday. "I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications."

Other security experts, including Thomas Kristensen, chief technology officer at Danish vulnerability tracker Secunia, said otherwise. "This is in fact not an IE issue, it is a Firefox issue," Kristensen claimed in an e-mail to Computerworld.

Things didn't become any clearer yesterday as Mozilla's chief security officer, Window Snyder, promised a fix for Firefox, but said it is patching only to protect its customers, not because it sees Firefox as the culprit. "This will prevent IE from sending Firefox malicious data," Snyder said in a posting on Mozilla's security blog. "Other Windows programs may also be vulnerable to bad data being passed from IE, although we are not aware of any at this time."

Although Snyder never directly pinned responsibility on IE, she came close by describing the problem. "Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL protocol," she said. "This could result in a critical security vulnerability."

For its part, Microsoft issued a one-sentence statement through a spokesman. "Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product," read the statement.

Other researchers waded into the brouhaha. Today, Jesper Johansson -- who, like Snyder, once worked for Microsoft but is now a security program manager at Seattle-based Amazon.com -- again argued that IE is not to blame. "It is quite clear really: IE does not validate the URL string, nor does it ever make any promise to do so [emphasis in original]."

Instead, he said, the flaw lies with Firefox. "It is clear from [Windows'] documentation that it is incumbent upon the application to validate the URL string," he said on his blog. "If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it."

Some see both sides, and put the onus on both parties. "I think it's a shared issue, really," said Roger Thompson, CTO of Exploit Prevention Labs. "If you go to an exploit site directly with Firefox, it doesn't work; only if you go to the site with IE. That's why I think IE is at least part of the issue."

Even more confusing is that while Mozilla plans to patch Firefox -- tentatively in a 2.0.0.5 release expected to be out at the end of this month -- Firefox users are not at risk. Snyder made a point of stressing that only Windows users who have both browsers installed, and are using IE if (or when) attacked, are in danger.

That diminishes the threat, said Thompson. "[The entire argument] is out of hand," he said, "until someone starts using [the exploit]. There's a huge difference between what might happen and what is happening."

While proof-of-concept code has been published -- some researchers have claimed that they've not been able to produce an exploit using Larholm's code -- there are no reports of any in-the-wild use. And even if there is, the danger may be minor. "If anyone is geeky enough to use Firefox, it's probably their main browser, so they're unlikely to visit the site in IE," said Thompson.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?