CVE-2007-3670

Home/CVE/Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and cert

CVE

Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and cert

Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when invoking Firefox, and this issue could arise with other protocol handlers in IE as well.

However, Mozilla has stated that it will address the issue with a "defense in depth" fix that will "prevent IE from sending Firefox malicious data.".

MEDIUM · CVSS 4.3 EPSS 0.56595

Act now

EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 2% of all CVEs by exploitation likelihood
Public exploit or PoC is available

Sigma rules3 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2007-3670, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2007-3670

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1190 · Exploit Public-Facing Application

▤ Build a SIEM detection for these techniques

▤

CAPEC attack patterns

Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.

CAPEC-CAPEC-209 · XSS Using MIME Type Mismatch CAPEC-CAPEC-588 · DOM-Based XSS CAPEC-CAPEC-591 · Reflected XSS CAPEC-CAPEC-592 · Stored XSS CAPEC-CAPEC-63 · Cross-Site Scripting (XSS) CAPEC-CAPEC-85 · AJAX Footprinting

⬡

Weakness Classification

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

▤

Affected Products & Versions

microsoft internet explorerall versions

mozilla firefoxall versions

⚠

Public Exploits & PoCs

These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.

remoteMicrosoft Internet Explorer and Mozilla Firefox - URI Handler Command Injectionverified

pocARPSyndicate/cve-scores (trickest)

pocb9q/EAOrigin_remote_code (trickest)

◈

Sigma Hunt Rules

Exact rules name this CVE ID. Product rules name an affected product in their title. Related rules cover techniques used by actors who exploited this CVE. Showing the most relevant matches; the complete related set is on the full drill-down.

productmediumInternet Explorer DisableFirstRunCustomize Enabled

productmediumInternet Explorer Autorun Keys Modification

producthighSQLite Firefox Profile Data DB Access

▣

Scoring & Timeline

4.3

MEDIUM · CVSS v2 (legacy) · [email protected]

View on NVD

This CVE predates CVSS v3; the legacy v2 score is shown so triage still has a severity to work with.

v2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Published to NVD10 Jul 2007 · 07:30 PM

⚑

Vendor Advisories

suse-csafopenSUSE-SU-2024:14572-1
suse-csafopenSUSE-SU-2024:10600-1
suse-csafopenSUSE-SU-2024:10601-1
usnUSN-503-1

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

ftp://ftp.slackware.com/pub/slackware/slackware-12.0/ChangeLog.txt

http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0160.html

http://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=565

Show all 39 references

http://larholm.com/2007/07/10/internet-explorer-0day-exploit/

http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx

http://osvdb.org/38017

http://secunia.com/advisories/25984Vendor Advisory

http://secunia.com/advisories/26096Vendor Advisory

http://secunia.com/advisories/26149Vendor Advisory

http://secunia.com/advisories/26204Vendor Advisory

http://secunia.com/advisories/26216Vendor Advisory

http://secunia.com/advisories/26258Vendor Advisory

http://secunia.com/advisories/26271Vendor Advisory

http://secunia.com/advisories/26572Vendor Advisory

http://secunia.com/advisories/28179

http://secunia.com/advisories/28363

http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.html

http://www.kb.cert.org/vuls/id/358017US Government Resource

http://www.mandriva.com/security/advisories?name=MDKSA-2007:152

http://www.mozilla.org/security/announce/2007/mfsa2007-23.html

http://www.mozilla.org/security/announce/2007/mfsa2007-40.html

http://www.novell.com/linux/security/advisories/2007_49_mozilla.html

http://www.securityfocus.com/archive/1/473276/100/0/threaded

http://www.securityfocus.com/bid/24837

http://www.securitytracker.com/id?1018351

http://www.securitytracker.com/id?1018360

http://www.theregister.co.uk/2007/07/11/ie_firefox_vuln/

http://www.ubuntu.com/usn/usn-503-1

http://www.us-cert.gov/cas/techalerts/TA07-199A.htmlUS Government Resource

http://www.virusbtn.com/news/virus_news/2007/07_11.xml

http://www.vupen.com/english/advisories/2007/2473

http://www.vupen.com/english/advisories/2007/2565

http://www.vupen.com/english/advisories/2007/4272

http://www.vupen.com/english/advisories/2008/0082

http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/35346