The Mozilla Foundation has issued patches for a flaw in its browsers that could allow an attacker to execute existing applications on a Windows XP machine. Researchers have also discovered a bug in Opera Software's browser that could be exploited to make users falsely believe they are visiting a trusted website, such as a banking site.
The bugs in Mozilla and Opera, which together account for about five percent of browser users, follow on the heels of a string of Internet Explorer attacks that appear to be convincing many users to explore IE's alternatives.
After some security vendors suggested switching browsers as one form of protection from the latest bugs, Mozilla and Opera have experienced a huge jump in downloads, the vendors say. Security experts caution that non-IE browsers are subject to some of the same vulnerabilities as Microsoft's browser, but concede that the alternatives probably are safer.
The Mozilla flaw was publicised on public security mailing list Full Disclosure on Wednesday, along with a link to Mozilla's fix. The group released updated versions of the Mozilla Application Suite, Firefox and Thunderbird fixing the problem, and on Thursday released a small download that eliminates the bug by reconfiguring the affected software.
"We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users," Mozilla said in its advisory, which also contains instructions on patching affected systems.
The bug is caused by the way the way Windows XP implements the "shell:" URI handler and the fact that Mozilla doesn't restrict access to the handler. The flaw means that an attacker could invoke an existing application on Windows XP via the browser, though the attack would be limited by an inability to pass parameters along to the application, according to an advisory from security firm Secunia.
An additional level of threat comes from the fact that some applications contain flaws that could potentially be exploited to run malicious code on the target PC, Secunia said. Mozilla's fix disables the use of the "shell:" handler. The flaw's discovery is attributed to Joshua Perrymon and Andreas Sandblad. "The shell: URI handler is inherently insecure and should only be accessed from a few trusted sites - or not from a browser at all," Secunia said. "Multiple exploits in Internet Explorer also utilise 'shell:' functionality."
The Opera bug, publicised by security firms on Thursday, could allow the browser to appear to be displaying a trusted site while actually displaying a malicious one, in order for example to trick a user out of his bank login information - a type of exploit known as phishing.
The problem is that the browser displays the URL before actually loading a page. In a proof-of-concept exploit released on the Web, the user clicks on a link leading to a trusted site such as a bank, and the bank's URL is displayed - but the browser is set in an endless loop that prevents it from actually loading the page. Meanwhile, in an invisible frame, the browser loads another page that could be a malicious duplicate of the bank's site.
The recent IE exploits were exceptionally serious because they were found in the wild, rather than just existing as proofs of concept, analysts say. However, alternative browsers aren't necessarily immune from such attacks. For example, one attack used Microsoft's powerful ActiveX scripting technology, which isn't supported by Opera or Mozilla. However, those browsers, along with Apple's Safari, will soon support a similarly powerful, cross-platform scripting technology, raising the question of how they will deal with any accompanying security concerns. Another attack involved IE's Browser Help Objects (BHOs) - but other browsers have their own BHO equivalents, though these haven't been exploited.
Some features implemented on all browsers are now being reconsidered as security holes; BHOs are one. Another allows one Web page to load arbitrary content into a frame of another page; this could allow an attacker to, for example, substitute his own login window on a bank's website, according to a Secunia advisory issued last week. The feature is found in IE, Mozilla, Opera, Safari and Mozilla derivatives such as Konqueror, and has been around for six years.
"We believe that it is important that Microsoft and the other vendors seriously consider the minor gains from such 'functionality' against the possible consequences for their customers," said Secunia CTO Thomas Kristensen. "In our opinion, this is a vulnerability and should be treated as such, whether the vendors implemented this intentionally or not."
Some browser vendors agreed: Mozilla and Firefox were updated two weeks ago to remove the feature, and Microsoft said it is considering blocking the feature with the release of Windows XP Service Pack 2.
In the bigger picture, however, other browsers clearly have far fewer security issues than IE, according to security experts. A database collating advisories from various sources, has collected 54 vulnerability advisories for IE 6.x during 2003 and 2004, 42 percent of which were "highly critical " or "extremely critical", and 32 percent of which granted system access. Opera 7.x had 26 bugs, 17 percent of which were highly or extremely critical, and Mozilla 1.3 and later had a total of 12 advisories, none of which were more than moderately critical.
"While other browsers also have problems, it seems evident that vulnerabilities are a bit more frequent and serious in IE," said Secunia's Kristensen.