Slashdot Mirror
MSN, Word Vulnerable To Shell: URI Exploit
LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."
The article is short on details. Does this really work on xp sp2? I know that xp sp2 protected against the Mozilla exploit, so I would imagine the same is true here. Which would make your claim that these sorts of things are only fixed "in the open source world" seem pretty specious.
I'd rather be lucky than good.
I just tried it in Microsoft Word 2002, with XP SP1 and all of the approved hotfixes for my agency, and it restricted it just fine- wouldn't even recognize it as a hotlink.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Mac OS X' Safari had a very similar flaw, where one could use disk:// to mount a disk image, which could execute whatever it wanted to.
That flaw was fixed with the 2004-06-07 security update.
It's not as much a bug but a dumb feature.
shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.
According to newsforge, it took "barely a day" for Mozilla to release new builds and patches.
Actually, it was their source that was the root of the problem in the first place. The whole "shell" thing is only in windows, unfortunately the article titles lead people to believe that it is a problem with Mozilla across all platforms, when in reality it only affects those running on a Windows platform.
More like 2 years . The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made. The decision was made recently to switch from a blacklist system to a whitelist system. This happened to coincide with lots of people switching to FireFox for security reasons and all of the sudden there was a patch to change the default behavior.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I'm the one who posted this message to Full Disclosure. I was too lazy to test all popular e-mail clients, IM clients, word processors, etc. that run on Windows, so I posted after finding only two vulnerable programs. Who wants to help?
All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.
The shareholder is always right.
Microsoft Word 2003 w/Latest Updates.
Insert > Hyperlink
shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)
Critical Error Dialog pops up
Opening "shell:explorer.exe"
Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
Yes | No
Pressed Yes and nothing to happened.
That's not quite accurate. The disk:// protocol was a part of the exploit, but that protocol did not allow a website to run anything - only to auto-mount a disk or disk image.
The real threat was the fact that programs could auto-register a new protocol that would be "handled" by a program contained within said disk image. Linking to exploit:// (as an example) would then launch the program that had registered itself as the handler for the made-up protocol. Thus, clicking on a link would run the program.
In any case, that Security Update did indeed fix it by asking the user the first time a new protocol's handler was added.
I've got more mod points and GMail invi
No. It's saying "I have a URI I don't know what to do with." This is how non-http URI's work to launch external views such as real player with RTSP:// and such.
Creating a URI handler to execute shell commands is boneheaded. The Mozilla guys knew this but MS failed to fix it. And now we have more MS apps that don't work around this stupid thing. Any guess as to how much other software doesn't block access to this massive windows security hole?
About the only thing the Mozilla team did wrong is underestimate the stupidity of MS.
Uh, I've been doing it for IE and MSN Messenger for the past few weeks - since I was forced to switch from W2K to Windows XP at work.
/savecred /env /user:veryrestricteduser "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
/env (use current user's environment) what you need to do is allow the restricted user write access to your IE required directories- e.g. Favorites, Cookies, Local Settings.
/env and run IE in the veryrestricteduser's environment and allow your normal user read access (and probably write access) to the veryrestricteduser's environment/profile. Then you don't have to allow the veryrestricteduser access to your normal user's directories. The more finely grained ACLs on Windows NTFS could make certain things more convenient.
/savecred on Win2K, so you need to enter the password everytime you launch the shortcut for Win2K or WinXP Home. Savecred works on WinXP Pro.
Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.
My shortcut for IE is:
C:\WINDOWS\system32\runas.exe
Because of the
Alternatively you could remove the
The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.
You'll probably want to change the icon back to one of the IE icons.
The runas thing is klunkier than setuid and you can't do
If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.