By now, I’m sure most Mac users are aware of the significant Safari security vulnerability which allows the “disk” and “help” protocols to be used in concert to execute arbitrary code on your machine after being automatically downloaded from any arbitrary website. In fact, the “disk” protocol is not even necessary; you can simply use the “help” protocol to execute commands which clicking on this link demonstrates (don’t worry — it will just run the uptime command, but I think it makes a pretty potent point).
So far, Safari has been taking all the heat, but this morning, I discovered that Firefox is vulnerable, as well. Since I use Firefox rather than Safari, I thought I could click on an example of the exploit, and simply download the code for inspection, however imagine my surprise when the code actually executed! (Firefox users, click on the link above to verify.) I immediately set out to find a way to protect Firefox from such attacks.
The solution I came up with seems to work perfectly so far, only takes a few seconds to implement, and doesn’t require installing any third-party software as other solutions I’ve seen do:
- Go to /Applications/Firefox.app/Contents/MacOS/chrome
- Open all.js in any text editor, though preferably vim.
- Search for the term “protocol-handler”.
Under the two lines addressing “mailto” and “news”, add the following lines of code:
pref(“network.protocol-handler.external.help” , false); // disable help protocol
pref(“network.protocol-handler.external.disk” , false); // disable disk protocol
- Restart Firefox.
- Open up this blog entry again and notice that the link to the example exploit no longer works. I have checked three different example exploits (two of which use meta refresh tags rather than direct links), and none of them worked once the code above had been inserted.
Please pass this information along to other Mac/Firefox users. If you’re a Safari user, now is a good time to switch to a secure version of Firefox. If you find any issues with this change, simply back it out and let me know, though so far, it seems to work perfectly.
Note that this fix has only been tested with version .8 of Firefox.