The advisory mentions that combining this with a BoF can result in remote code execution, but they totally forget to mention that formatstring exploits, integeroverflows, XSS, SQL injection, etc... might cause the same problems too. I bet they just read FD and didn't think for themselves. As far as I can see, this bug allows an attacker to remotely abuse any vulnerability a local program might be subject to, thus making any local exploit a possible remote exploit.
Cheers, SkyLined ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 09, 2004 00:36 Subject: [Full-Disclosure] Mozilla Security Advisory 2004-07-08 > Mozilla Security Advisory > July 7, 2004 > > Summary: Windows shell: scheme exposed in Mozilla > Products: Mozilla (Suite) > Mozilla Firefox > Mozilla Thunderbird > Fixed in: Mozilla (Suite) 1.7.1 > Mozilla Firefox 0.9.2 > Mozilla Thunderbird 0.7.2 > > > Description: > Windows versions of Mozilla products pass URIs using the shell: scheme > to the OS for handling. The effects depend on the version of windows, > but on Windows XP it is possible to launch executables in known > locations or the default handlers for file extensions. It could be > possible to combine this effect with a known buffer overrun in one > of these programs to create a remote execution exploit, although > at this time we have confirmed only denial-of-service type attacks > (including crashing the system in some cases). > > Solution: > We urge people to install the patch available on mozilla.org or > install the latest version of the software. > > http://www.mozilla.org/security/shell.html > > -Dan Veditz > Mozilla Security Group > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html