For those off you who might not yet be aware the latest version of Firefox, Thunderbird and SeaMonkey are out to address a security problem with unescaped URIs that are passed to external programs.
esper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 2.0.0.4 and older could be used to run arbitrary script (see MFSA 2007-23). The vast majority of programs do not have dangerous arguments, though many could still be made to do something unexpected.
A similar issue with URIs passed to external handlers was reported by Billy Rios and Nate McFeters. When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 do not launch the protocol handler registered for that scheme but instead launch a file handling program based on the file extension at the end of the URI. Coupled with the issue reported by Jesper Johansson this appears to allow execution of any program installed at a known location and limited argument passing that might be enough to exploit a system.
Read on.
[tags]Mozilla, Firefox, Unescaped URI[/tags]
