Slashdot Mirror
MSN, Word Vulnerable To Shell: URI Exploit
LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."
The article is short on details. Does this really work on xp sp2? I know that xp sp2 protected against the Mozilla exploit, so I would imagine the same is true here. Which would make your claim that these sorts of things are only fixed "in the open source world" seem pretty specious.
I'd rather be lucky than good.
I just tried it in Microsoft Word 2002, with XP SP1 and all of the approved hotfixes for my agency, and it restricted it just fine- wouldn't even recognize it as a hotlink.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Mac OS X' Safari had a very similar flaw, where one could use disk:// to mount a disk image, which could execute whatever it wanted to.
That flaw was fixed with the 2004-06-07 security update.
It's not as much a bug but a dumb feature.
shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.
It's not reasonable at all, if I understand the nature of the shell: exploit in Mozilla.
shell: is handled by Windows itself. The browser simply passed the URI on to be dealt with, as Microsoft programmers intended.
Although there were concerns about allowing the browser to hand off unrecognized URIs to the underlying operating system two years ago, this particular exploit was recognized and patched within a day, by preventing Mozilla from passing shell: stuff on.
Basically, it's an exploitable Windows function that could be accessed through Mozilla and other programs written to allow such things.
Another successful shot in the foot from Redmond.
Someday, you're going to die. Get over it.
According to newsforge, it took "barely a day" for Mozilla to release new builds and patches.
Actually, it was their source that was the root of the problem in the first place. The whole "shell" thing is only in windows, unfortunately the article titles lead people to believe that it is a problem with Mozilla across all platforms, when in reality it only affects those running on a Windows platform.
While bug 250180 is pretty new, bug 163767 is ancient (08-2002) and describes the same problem, although being a bit more generic. I wouldnt shout too loud about fast bugfixing in OSS in this particular case. Although the bug is more a bug of Windows broken-by-design handling of URIs it still should have been fixed (or the features needed for the bug to work should have been disabled by default.)
More like 2 years . The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made. The decision was made recently to switch from a blacklist system to a whitelist system. This happened to coincide with lots of people switching to FireFox for security reasons and all of the sudden there was a patch to change the default behavior.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I'm the one who posted this message to Full Disclosure. I was too lazy to test all popular e-mail clients, IM clients, word processors, etc. that run on Windows, so I posted after finding only two vulnerable programs. Who wants to help?
All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.
The shareholder is always right.
Considering it doesn't allow you to pass parameters as mentioned by the article, all of that would be very hard to accomplish.
-]Phreak Out[-
Microsoft Word 2003 w/Latest Updates.
Insert > Hyperlink
shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)
Critical Error Dialog pops up
Opening "shell:explorer.exe"
Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
Yes | No
Pressed Yes and nothing to happened.
That's not quite accurate. The disk:// protocol was a part of the exploit, but that protocol did not allow a website to run anything - only to auto-mount a disk or disk image.
The real threat was the fact that programs could auto-register a new protocol that would be "handled" by a program contained within said disk image. Linking to exploit:// (as an example) would then launch the program that had registered itself as the handler for the made-up protocol. Thus, clicking on a link would run the program.
In any case, that Security Update did indeed fix it by asking the user the first time a new protocol's handler was added.
I've got more mod points and GMail invi
The Xine maintainers, who must all be insane,
have a project that's been stable for years and it hasn't hit 1.0 yet.
It's worth noting that, technically, Emacs hasn't gone 1.0 yet either. The version is really 0.21 - it's just that they've been in the minor version numbers for so long now nobody refers to it that way anymore. Is Emacs incomplete? Lacking functionality perhaps? Apparently yes.
Jedidiah.
Craft Beer Programming T-shirts
Yes.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
For you information, SP2 beta can be only installed on ENGLISH (or german) version of Windows XP (pro). I am running finnish languaged Home edition and haven't been able to test SP2 because of that.
No, mozilla / IE / MSN / Word are NOT asking the Windows to "execute this program" they are asking Windows to "handle this URI I don't know what to do with"
it is only after a long journey that you know the strength of the horse.
There's an explanation here of how it could be used to exploit buffer overflows in apps.
No. It's saying "I have a URI I don't know what to do with." This is how non-http URI's work to launch external views such as real player with RTSP:// and such.
Creating a URI handler to execute shell commands is boneheaded. The Mozilla guys knew this but MS failed to fix it. And now we have more MS apps that don't work around this stupid thing. Any guess as to how much other software doesn't block access to this massive windows security hole?
About the only thing the Mozilla team did wrong is underestimate the stupidity of MS.
Uh, I've been doing it for IE and MSN Messenger for the past few weeks - since I was forced to switch from W2K to Windows XP at work.
/savecred /env /user:veryrestricteduser "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
/env (use current user's environment) what you need to do is allow the restricted user write access to your IE required directories- e.g. Favorites, Cookies, Local Settings.
/env and run IE in the veryrestricteduser's environment and allow your normal user read access (and probably write access) to the veryrestricteduser's environment/profile. Then you don't have to allow the veryrestricteduser access to your normal user's directories. The more finely grained ACLs on Windows NTFS could make certain things more convenient.
/savecred on Win2K, so you need to enter the password everytime you launch the shortcut for Win2K or WinXP Home. Savecred works on WinXP Pro.
Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.
My shortcut for IE is:
C:\WINDOWS\system32\runas.exe
Because of the
Alternatively you could remove the
The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.
You'll probably want to change the icon back to one of the IE icons.
The runas thing is klunkier than setuid and you can't do
If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.
Yeah, "NO other platform has this particular security hole"... um... yeah... except that the underlying cause of the hole is the same problem that exists with the OSX URI handling code, and thus, every single MacOS browser was exploitable by this type of "feature" until Apple fixed the real problem.
I am unamerican, and proud of it!