Window Snyder fesses up - Firefox also passes "bad data"
Window says:
"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.
We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now.
We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process."
Quote source: http://blog.mozilla.com/security/2007/07/23/related-security-issue-in-url-protocol-handling-on-windows/
In the original scenario that started this entire brouhaha, Firefox did not validatate the input that it was receiving from IE, leading to the exploit in question. In that case, FF were in the wrong - it had the responsibility of ensuring that the data it was accepting was safe. Window Snyder countered that IE was at fault for sending "bad data" to FF in the first place. And it is that statement, gentle reader, that leads to a parting of the ways.
Several respected experts have said that it should not be IE (or Firefox's) responsibility as CALLER, nor is is realistic or practical, for a CALLER application to validate the data that it passes on to whatever application happens to be CALLED at any particular point in time. On the contrary, it is the responsibility of the CALLED application to verify the data that it is accepting.
Now, if Mozilla want to continue down their chosen path of verifying data as CALLER before passing it to the CALLED application, all power to them. I wait with bated breath to see how they are going to fix things and what may break in the process.
One other question remains, actually two... why hasn't Snyder credited Jesper with revealing the "new scenario" - in fact, I notice that Window Snyder has gone so far as to remove all links to Jesper's blog entry from the comments about her blog entry, replacing them with the text "(Jesper's Blog)". I'm struggling to understand why she would do that. I admit, I have been known to remove links from comments as well, but only because they are dangerous in some way, exposing malware or other unsavory content.
Asa Dotzler, to his credit, has not removed links to Jesper's article from comments on his blog:
http://weblogs.mozillazine.org/asa/archives/2007/07/its_just_too_ha.html
For those people who missed it, here is Jesper's article describing the "new scenario":
http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx
Alun has his say:
http://msmvps.com/blogs/alunj/archive/2007/07/23/firefoxurl-part-ii.aspx
and previously:
http://msmvps.com/blogs/alunj/archive/2007/07/22/firefoxurl-url-vulnerability.aspx
As does Markellos on the IE team:
http://blogs.msdn.com/ie/archive/2007/07/18/enriching-the-web-safely-how-to-create-application-protocol-handlers.aspx
Window Snyder's blog entry that started the maelstrom (with links to Jesper's blog removed from comments):
http://blog.mozilla.com/security/2007/07/18/fix-for-windows-url-protocol-handling-problem-in-firefox-2.0.0.5/