SillyDog701

[Ramona]

Thunderbird 2.0.0.5 should be released soon...

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5pre) Gecko/20070710 Firefox/2.0.0.4 Navigator/9.0b2

[Gregor]

I use Firefox for browsing exclusivelly, just as recommended by Mozilla.
It is interesting that this critical flaw has been unpached since 1994:
Quote from SecurityFokus:

Description : Protocol Handler allow arbitrary switch to be passed to the
associated program.<BR>

Exploit :

The protocol handler are defined in HKEY_CLASSES_ROOT. We will use the MMS
protocol for this exemple. In the HKEY_CLASSES_ROOT\MMS\SHELL\OPEN\COMMAND
Registry key you can see that the program associated with the MMS protocol
is called through "C:\Program Files\Windows Media Player\wmplayer.exe" "%L".
(In this cases, this is windows media player).

Now if we pass in to IE this string mms:\\."%20/layout%20c , the "%L" in the
handler will now be "." /layout c".
The /layout switch will open windows media player in Skin Mode.

<A HREF=mms:\\."%20/layout%20c>TRY IT</A>

Of course, the vulnerability is not to open WMP in Skin Mode but it reside
in the hability to pass extra command line switches where only one should be
accepted.

Nicolas Robillard, GSEC
Information Security Advisor, Systems Security Group
Global Information Technologies, SNC-LAVALIN INC.
Tel : (514) 393-8000 Ext. 6289
455 René-Lévesque Blvd. West, Montreal (QC), Canada H2Z 1Z3

And to add: Firefox is not the only application which can be called with Protocol handler!
Quote from Larholm:

However, I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few

So, IMHO the one to blame is Microsoft Corporation. Their statement that Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product.
But If you look when this generic flaw has been discovered than ...

The following reply to Thor`s article by Harry Johnston, convinced me (my mind):

I’ve already mentioned this in a reply to another user’s comment on your earlier post, but I think it’s worth making a stronger point about it as a lot of people don’t seem to realize this:-

STD66 requires that all URIs (hence URLs) consist of only a limited set of characters. The quote mark is not in this set; hence a URL with a quote mark is inherently illegal, regardless of the scheme. (Of course a quote mark can be included if it is properly encoded.)

IE doesn’t need to know the detailed syntax of every registered URL scheme. But it should know - and enforce - the restrictions that apply to all URLs!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5