Mozilla has just released Firefox 2.0.0.5 which purportedly fixes one of the attack vectors of the Internet Explorer input validation flaw that I previously detailed. I will go on the record as stating that this does not actually fix the flaw in Internet Explorer, but simply patches one of the myriads of attack vectors.

As can be seen from the release notes this update fixes 8 different security vulnerabilities. The security update in question is MFSA 2007-23, which has the following choice quote:

Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer.

That is the official stance from the Mozilla Corporation, which matches my own assessment. You might remember that there was some controversy about who was to blame. I blamed Microsoft, Secunia blamed Mozilla, Mozilla blamed Microsoft and Microsoft blamed no one in particular, simply stating that it “is not a vulnerability in a Microsoft product”.

I can definitely understand the initial reaction from Microsoft. Most of the emphasis in the public vulnerability reports were dealing with Firefox, the -chrome command line argument and how to properly escape the exploit code.

However, I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) – just to name a few :)

I can categorically deny that this flaw has been fixed in Internet Explorer. Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then.

The only thing that is changing as time goes by is the exploration of new attack vectors, which simply means investigating the various command line arguments that each of the above processes will accept to execute code. As soon a new attack vector is uncovered a new exploit can be produced to automatically execute code through Internet Explorer.

That reminds me, outlook.exe is an interesting application to pick apart… ;)