« ColdFusion MacroChat Today | Main | The Change is All Counted! »

May 20, 2004

It's Not Just Safari That's Vulnerable

By now, I'm sure most Mac users are aware of the significant Safari security vulnerability which allows the "disk" and "help" protocols to be used in concert to execute arbitrary code on your machine after being automatically downloaded from any arbitrary website. In fact, the "disk" protocol is not even necessary; you can simply use the "help" protocol to execute commands which clicking on this link demonstrates (don't worry -- it will just run the uptime command, but I think it makes a pretty potent point).

So far, Safari has been taking all the heat, but this morning, I discovered that Firefox is vulnerable, as well. Since I use Firefox rather than Safari, I thought I could click on an example of the exploit, and simply download the code for inspection, however imagine my surprise when the code actually executed! (Firefox users, click on the link above to verify.) I immediately set out to find a way to protect Firefox from such attacks.

The solution I came up with seems to work perfectly so far, only takes a few seconds to implement, and doesn't require installing any third-party software as other solutions I've seen do:

  1. Go to /Applications/Firefox.app/Contents/MacOS/chrome
  2. Open all.js in any text editor, though preferably vim. :)
  3. Search for the term "protocol-handler".

  4. Under the two lines addressing "mailto" and "news", add the following lines of code:

    pref("network.protocol-handler.external.help" , false); // disable help protocol
    pref("network.protocol-handler.external.disk" , false); // disable disk protocol

  5. Restart Firefox.
  6. Open up this blog entry again and notice that the link to the example exploit no longer works. I have checked three different example exploits (two of which use meta refresh tags rather than direct links), and none of them worked once the code above had been inserted.

Please pass this information along to other Mac/Firefox users. If you're a Safari user, now is a good time to switch to a secure version of Firefox. If you find any issues with this change, simply back it out and let me know, though so far, it seems to work perfectly.

Note that this fix has only been tested with version .8 of Firefox.

Posted by cantrell at May 20, 2004 01:01 PM | References

Comments

Great tip Christian, THANKS!

Posted by: Josh Dura at May 20, 2004 03:20 PM

I may be stating the obvious here but...

I'm using Firefox 0.8 on Windows XP and your sample demonstration link, when clicked, pops up a "help is not a registered protocol" alert.

Posted by: David at May 20, 2004 06:04 PM

I guess I should clarify that this is a Mac only issue.

Posted by: Christian Cantrell at May 20, 2004 06:13 PM

My FireFox does not have an all.js at the location you mention.

Posted by: Jim at May 26, 2004 12:52 PM

What version of Firefox are you running?

Also, try going to "/Applications/Firefox.app" and typing "find . -name all.js". What's the output?

Christian

Posted by: Christian Cantrell at May 26, 2004 12:56 PM

I may be off here...

I think that the preferred method for fixing this would be to modify your own ("~/Library...") preferences rather than going into the application package.

The supported method for this is to go to the pseudo-URL:

about:config

This shows you all of the preferences in effect for your account, and you can modify them more easily in this window.

Note: I'm on Mac OS X running the nightly build from yesterday, and this pref is already "false".

Posted by: K. M. Peterson at May 26, 2004 02:17 PM

Jim, I didn't have all.js in that location either. here's where I found it though:
/Applications/Firefox.app/Contents/MacOS/defaults/pref/all.js

haven't continued the rest of the steps yet, but wanted to post that.

Posted by: quiksan at May 26, 2004 02:44 PM