Medium risk vulnerability patched by Mozilla – but not Google or Microsoft
Security researchers at Fortinet claim to have uncovered a series of information disclosure vulnerabilities affecting three of the most widely used browsers on the web – Google Chrome, Mozilla Firefox, and Microsoft Edge.
The medium severity flaws affect both Windows and Linux systems and stem from leaking URL/protocol handlers.
Mozilla have patched the vulnerability in Firefox (identified as CVE-2020-15680) but neither Microsoft nor Google plan to follow suit.
A write up of the vulnerability, which effects Firefox prior to version 82, explains: "If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler.
“This allowed an attacker to successfully probe whether an external protocol handler was registered.”
Independent experts consider the flaws as of moderate severity at worst, so the interest in the bugs stems more from the wide scope for potential mischief they represent, rather than their severity.
According to Fortinet, the two vulnerabilities might be leveraged to leak out information about a vast range of installed applications, including the presence of security products on targeted systems.
As such, the security weaknesses might be useful for attack reconnaissance, offering insight to both penetration testers and potential attackers alike.
“When browsers are enabling the interaction with other applications through URL handlers, they may be easing the engagement with third party software, but they also enable a wider attack surface by giving the attacker a chance to attack the user through other applications,” a blog post by Fortinet explains.
“While Microsoft and Google currently don’t consider it a security issue, we believe that being able to expose the presence of other software, including security software, on targeted devices should be prevented.”
Rotem Kerner, one of the security researchers, told The Daily Swig that the flaws allow a potential attacker to determine what endpoint protection a target machine is running and more.
Kerner said: “How about being able to determine if a target machine is running an endpoint protection/av or being able to remotely detect a wide range of installed apps like music players, IDE, office applications, crypto-mining, browsers, mail applications, antivirus, video conferencing, virtualizations, database clients, version control clients, chat clients, voice conferencing.”
Gareth Heyes, a security researcher at PortSwigger, the parent company of The Daily Swig, said that the bugs were of only modest severity.
“The Firefox bug is better because you can brute force a lot of different handlers,” Heyes commented.
“It could be useful in an exploit chain where you need to exploit different applications installed on a victim’s system and you could use these techniques to find out what applications are installed.”