It’s Not Just Safari That’s Vulnerable

By now, I’m sure most Mac users are aware of the significant Safari security vulnerability which allows the “disk” and “help” protocols to be used in concert to execute arbitrary code on your machine after being automatically downloaded from any arbitrary website. In fact, the “disk” protocol is not even necessary; you can simply use the “help” protocol to execute commands which clicking on this link demonstrates (don’t worry — it will just run the uptime command, but I think it makes a pretty potent point).

So far, Safari has been taking all the heat, but this morning, I discovered that Firefox is vulnerable, as well. Since I use Firefox rather than Safari, I thought I could click on an example of the exploit, and simply download the code for inspection, however imagine my surprise when the code actually executed! (Firefox users, click on the link above to verify.) I immediately set out to find a way to protect Firefox from such attacks.

The solution I came up with seems to work perfectly so far, only takes a few seconds to implement, and doesn’t require installing any third-party software as other solutions I’ve seen do:

  1. Go to /Applications/Firefox.app/Contents/MacOS/chrome
  2. Open all.js in any text editor, though preferably vim. 🙂
  3. Search for the term “protocol-handler”.
  4. Under the two lines addressing “mailto” and “news”, add the following lines of code:

    pref(“network.protocol-handler.external.help” , false); // disable help protocol
    pref(“network.protocol-handler.external.disk” , false); // disable disk protocol

  5. Restart Firefox.
  6. Open up this blog entry again and notice that the link to the example exploit no longer works. I have checked three different example exploits (two of which use meta refresh tags rather than direct links), and none of them worked once the code above had been inserted.

Please pass this information along to other Mac/Firefox users. If you’re a Safari user, now is a good time to switch to a secure version of Firefox. If you find any issues with this change, simply back it out and let me know, though so far, it seems to work perfectly.

Note that this fix has only been tested with version .8 of Firefox.

7 Responses to It’s Not Just Safari That’s Vulnerable

  1. Josh Dura says:

    Great tip Christian, THANKS!

  2. David says:

    I may be stating the obvious here but…I’m using Firefox 0.8 on Windows XP and your sample demonstration link, when clicked, pops up a “help is not a registered protocol” alert.

  3. I guess I should clarify that this is a Mac only issue.

  4. Jim says:

    My FireFox does not have an all.js at the location you mention.

  5. What version of Firefox are you running?Also, try going to “/Applications/Firefox.app” and typing “find . -name all.js”. What’s the output?Christian

  6. I may be off here…I think that the preferred method for fixing this would be to modify your own (“~/Library…”) preferences rather than going into the application package.The supported method for this is to go to the pseudo-URL:about:configThis shows you all of the preferences in effect for your account, and you can modify them more easily in this window.Note: I’m on Mac OS X running the nightly build from yesterday, and this pref is already “false”.

  7. quiksan says:

    Jim, I didn’t have all.js in that location either. here’s where I found it though:/Applications/Firefox.app/Contents/MacOS/defaults/pref/all.jshaven’t continued the rest of the steps yet, but wanted to post that.