Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4). This vulnerability can only be exploited on Unix / Linux based environments. The vulnerability has been confirmed in version 1.0.6 on Fedora Core 4 and Red Hat Enterprise Linux 4. Other versions and platforms may also be affected. Read the advisory at Secunia.
This sounds like a nasty bug alright, but I wouldn't say that opening one up to a user-dependant (i.e. non-automated) shell execution is all that critical, especially on a Unix system. After all, users run as totally unpriviledged and have no write access to anything outside of their own home directory. It could definately be a problem for larger organizations who use RHEL on the desktop and an email client which does not sanitize email from unknown sources, but the combination of the two plus the assumption that the local Unix/Linix admin was too dumb to mount the home partition with the noexec* flag seems like a real long shot to me. Just an observation, -AT * - For those who may not know, mounting a partition with the noexec argument means that programs which exist on said partition are not allowed to be executed. It is considered good practice for Unix/Linux admins to mount the /home directory with the noexec variable set, so that users are not allowed to run exectuables from their home directories. In that way a potential attack vector is mitigated because only the root user on said system is allowed to add software. If the noexec flag was set, an arbitrary shell script attack like the one mentioned would be rendered ineffective, as it would not be allowed to execute.
