While following a thread on the sla.ckers.org web application security forum about browser plugins for FireFox I remembered a project I had worked on briefly to exploit a small issue in one of Firefox’s extentions. The problem is around how IE Tab has built in sites to always render in IE Tab. The two default websites are http://*update.microsoft.com/ and http://www.windowsupdate.com/ for obvious reasons.
When I was first playing with this, I was thinking about it in context of DNS tricks, but then it occured to me yesterday that that star operator really felt exploitable (I love when people don’t really understand regex). Anyway, so in playing around with it, I realized if you just append “update.microsoft.com/” to the end of any URL string (you can use a query string or a variable that doesn’t exist in an existing query string) you can begin running Internet Explorer in your browser window without even so much as a prompt.
Oh, but it gets better, if you ever find an XSS vulnerability in any website and you append that string to the end of the URL (CSRF) you can now run your vectors in IE space instead of Firefox, allowing you to run VB Script, ActiveX controls, and whatever else you want, without the restrictions of Firefox. Let’s take it one step further. You can actually launch XSS attacks against the target who has IE Tab with IE specific XSS vectors and since they will automatically switch into IE mode, you can get them to run on a single redirection. Tricky, eh?
I’ve always thought that browser plugins are one of the major security flaws in FireFox but this is a weird turn of events where it’s actually a cross between FireFox, a plugin and Internet Explorer. I think the major saving grace is that only 10-20% (estimated) run FireFox and far fewer run IE Tab. Why is this any different than just running Internet Explorer outright? Well because if you are a die hard FireFox user you probably spend far less time trying to harden IE than die hard IE users. I’m pretty browser agnostic, so I harden everything, but most people won’t - or don’t know how. I think I’ll uninstall IE Tab anyway.