Jesper is alive and posting ... damn it's good to see him back
And... he hasn't lost his special knack for being able to aim his riposte just right...
My regular readers will remember my indignant reaction to Mozilla.org's advice that we should use Firefox to browse the web to prevent attackers from exploiting MFSA 2007-23.
Well, Jesper took things one step further after he spotted a blog post by Window Snyder, in which she repeats Mozilla.org's advice by saying:
"This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to. Mark Griesi is quoted in Infoworld saying “We don’t feel that there’s an issue in IE, and therefore, there’s nothing to be fixed.”
Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer."
Asa Dotzler also said for Firefox that "At Mozilla, we were able to address the biggest part of this problem in Firefox ages ago by simply escaping quotes in URLs before handing them off."
I say to Asa, are you are absolutely certain that you are correct? Jesper did a little digging, and a little experimenting, and discovered that Firefox also does not escape quotes in URLs before it passes them on to protocol handlers. In short, Firefox no longer accepts "bad data" (Windows Snyder's description) from IE, but happily continues to pass what it calls "bad data" on to protocol handlers. Umm, oops.
Note that Jesper stands by his original opinion that any "fault" lies with the program that creates a vulnerable protocol handler and fails to validate input, not the program that calls the said protocol handler.
Markellos Diorinos, an IE Product Manager, also explained things very clearly when he said:
"The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web. However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters"
Just like Jesper and Markellos, I am of the opinion that Firefox isn't actually doing anything wrong in this instance, but unfortunately for Mozilla.org and Snyder, that is not the stance that *they* have taken - this embarrassing situation is entirely of their own making. Why didn't Mozilla tell us about the Firefox behaviour as revealed by Jesper? Did Mozilla not check to make sure that Firefox does not pass what Snyder called "bad data"?
What will Windows and Mozilla.org say now that Firefox has been shown to be guilty of the very "critical vulnerability" they have been criticizing Internet Explorer for? Will we see an apology? A retraction? A promise to spend less time bashing IE and trying to increase the Firefox user base, and more time putting user safety first, even if it means admitting that you're guilty of an equal sin (a sin in their eyes, not Microsoft's)?
Hey Snyder and Asa, you'd better look behind you ...
