Slashdot Mirror
MSN, Word Vulnerable To Shell: URI Exploit
LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."
Comment removed based on user account deletion
Well now, let's see how long it takes for their patch to come out.
Anyone know if Word 2004 for OSX is safe from the URI exploit? I know that the macs have been having trouble with the URI exploit over the past few months based on some articles I've read at macslash.
Aj
GroupShares Inc. - A Free and Interactive Stock Market Community
-------
artlu.net
The article is short on details. Does this really work on xp sp2? I know that xp sp2 protected against the Mozilla exploit, so I would imagine the same is true here. Which would make your claim that these sorts of things are only fixed "in the open source world" seem pretty specious.
I'd rather be lucky than good.
I just tried it in Microsoft Word 2002, with XP SP1 and all of the approved hotfixes for my agency, and it restricted it just fine- wouldn't even recognize it as a hotlink.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Mozilla already fixed this vulnerabilty (Mozilla 1.7.1 & FireFox 0.92) took what 3 or 4 days after it was discovered ?
Microsoft will surely fix this in no more than 2 "Microsoft" Days which is around 6 months for the rest of Earth's population.
According to the article "Malicious hackers could launch programs associated with specific extensions using links embedded in Word documents or instant messages sent using MSN. However, the vulnerability does not allow attackers to pass instructions to the programs..." Now call me crazy, and I know i'll probably piss off the microsoft hating people here, but what harm is there really? What's some "hacker" gonna do, open up Acdsee and show my porn collection to well...me? Maybe pop open a few dozen IE windows or programs to force me to reboot? If there's nothing else being transferred it's really just more of a nuisance than something major. Or am I just reading this wrong?
It's not as much a bug but a dumb feature.
shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.
(Score: -1, Troll)
I find it interesting how they talk about "no exposure to malicious attackers", as if their products are magically invulnerable until someone discloses the hole to the public.
According to newsforge, it took "barely a day" for Mozilla to release new builds and patches.
The URI exploit in its general form is mitigated by the fact that you can't pass any command-line arguments to the command. So you can launch a bunch of Notepads, so what? However, you CAN type a filename in and have it open in its associated application. If that filename is too long, you can exploit a buffer overflow in the helper application. There happens to be a plentitude of client applications on a standard XP box with buffer overflow possibilities. Once you're there, go anywhere you want with the privileges of the user on the XP box (which is usually admin, and if not, you can usually get admin without a lot of effort).
Anyway, SP2's memory protection would have prevented the overflow attack. It would not have prevented the most general (and less harmful) form of the attack, however.
What the original poster was probably meaning, if he had a point at all, was that non-Windows systems don't do this sort of "command-line-as-a-protocol" bullshit because it's quite obviously the wrong way to do things. Security through obscurity works in a lot of cases because people think "nobody would EVER design an OS that did THIS" and they never bother to look. Well, now someone's looked and found an ancient kludge coded by someone who probably doesn't even work for MS anymore. And more man-hours are going into fixing this bug than would have gone into creating a proper implementation of whatever this goober was trying to accomplish in the first place.
That said, Open Source isn't pixie dust that makes everything happy and secure. Stupid things happen in Linux. They just happen in the open where people can find them and fix them before applications start relying on them to function.
I think the handling of this problem demonstrates the difference between Microsoft software and other software like Mozilla. In Mozilla, the problem didn't even require a real patch to fix, just a quick config setting to tell it not to pass things along to the shell: handler. My bet is that fixing Word etc. will require not just multiple registry changes but actual new code to allow shell: to be disabled. And odds on the first thing they try is to just add filters, and we'll see half a dozen iterations of exploits of this using different ways past the filters until MS finally includes a patch to allow it to be disabled.
Actually, it was their source that was the root of the problem in the first place. The whole "shell" thing is only in windows, unfortunately the article titles lead people to believe that it is a problem with Mozilla across all platforms, when in reality it only affects those running on a Windows platform.
(that subject is a great way to get modded down)
I created a shell link inside Office Word 2003 and when I clicked it I was warned that the hyperlink contained a potentially dangerous target and that I should only proceed if I trusted the source of the document. This warning does not appear for http, https, ftp, or other common "safe" protocols.
I do not have MSN available for testing.
http://brandonbloom.name
More like 2 years . The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made. The decision was made recently to switch from a blacklist system to a whitelist system. This happened to coincide with lots of people switching to FireFox for security reasons and all of the sudden there was a patch to change the default behavior.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I'm the one who posted this message to Full Disclosure. I was too lazy to test all popular e-mail clients, IM clients, word processors, etc. that run on Windows, so I posted after finding only two vulnerable programs. Who wants to help?
All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.
The shareholder is always right.
The Article's title is: Microsoft products also vulnerable to Mozilla flaw That is gross misinfomation, it should be something along the lines of "Microsoft products allow exploit of OS flaw, similar to Mozilla." The flaw itself is in the Windows operating system. It exposes access to shell functions that applications need to blacklist. Application developers shouldn't need to be concerned with "Oh, I need to stop that protocol for security." It should be the protocol developer's responsibility to say "Is this safe?"
Yet another signature that refers to itself. The irony and humor is dead.
Microsoft Word 2003 w/Latest Updates.
Insert > Hyperlink
shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)
Critical Error Dialog pops up
Opening "shell:explorer.exe"
Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
Yes | No
Pressed Yes and nothing to happened.
The title is quite misleading on first glance.
"Microsoft products also vulnerable to Mozilla flaw"
If it was a Mozilla flaw to start with, my linux boxes would be vulnerable. I know its picky, but the title is not accurate IMHO as Mozilla is being used to take advantage of a Windows feature, rather than the flaw itself existing in Mozilla.
It seems logical that the solution to many of these browser exploits is to run the browser with a separate set of OS permissions, i.e. as a separate user. This could be done using setuid under Unix. I don't know how it's accomplished on Windows.
The special user would have greatly reduced permissions, which would prevent these exploits from being useful. This user could not execute anything but designated plugins, and could not save files except to a designated area.
Why has this not been tried?
To try out open source browsers like Firefox and Mozilla....
;)
;)
Maybe its about time for some people to concider some alternate producivity suites - not just openoffice - even some suites like Corel have some intriguing software that lacks the user base of microsoft.
Rant>./rant
On a sidenote.. Corel lost a big share of its market to MS Office around the same time Netscape was crushed by IE. I remember my highschool used Corel at the time. Netscape was very smart to start the Mozilla Foundation insead of trying to beat MS, they are letting their supporters promote for them, gaining them some brand awareness if nothing else. Perhaps It wouldn't be so strange if Corel was to support a open source initiative, or merge with OpenOffice. The next best thing since frozen coffee for the computer geeks would be firefox and corel. Corel could sure use some geek to geek praising around now
For those of you not very firmiliar with Corel, at one point they were doing fairly well, then they kinda fell thru - had to lay off alot of people and are now trying to get back into the market.. but I personally think they face the same fate as Netscape.
In the real world, If you loose a customer, it takes twice as long to get that customer to come back to your business, and that customer is a big factor keeping other possible business from you, as they will tell at least 10 people of their experiance.
Based on this, even old Corel users would be hesitant or unwilling to switch back to Corel -so Corel needs a new movement. Open source anyone
Dying Proprietary Software + Open Source = Improved Code + Brand Awareness + "PROFIT" (Donations, Memberships? Support? and Smart Usage Of Your Brand Recognition)
With so many software companies expected to bust with news of the markets this week, I wouldn't be surprised to see a few new related open source projects pop up.
Rant> logout
Mod me down im a newf (wiki)
Okay, I'll bite. Some of us have a standard of stability and completeness, totally independent of version numbers. Was Internet Explorer 1.0 a happy, complete, stable application? Is Firefox 0.9.1? I think you're fooling yourself if you think version numbers provide any sort of yardstick of the readiness-to-use of an application. I personally won't use ANY Microsoft product in a production (read: at work) environment until it has at least TWO service packs. Windows, Office, SQL, SMS, doesn't matter. Microsoft's standard is "it's 1.0 when we need to release it. it's sp2 when it's ready for prime time". Not all companies are the same way. Corel has yet to release a product ready for prime time, and WordPerfect's up to 12 or so. Cisco, when motivated, can get things done right in the first release. Open Source projects all have their own standards. Firefox 0.9.1 is much more mature and ready for prime-time than the latest PR or SP2. The Xine maintainers, who must all be insane,
have a project that's been stable for years and it hasn't hit 1.0 yet. If Firefox suddenly released 2.0 would it sudenly be more mature? How about 3.0? What's the magic happy number? THERE IS NONE. You have to gauge each vendor, and each application, by a consistent set of rules and just forget what version number the marketing people decided it should have.
Maybe someone should check to see if IE has this "bug" as well. ....
Thats very probable since this is more a "metabug" in Windows - that might get fixed in SP2.
So, perhaps Mozilla should have "bug fixes" for every windows flaw that they uncover?
No. They should just disable unsecure stuff by default. Thats one of the strong points of Mozilla. They did write code at some point that passes some unfiltered, unchecked data from the web on to some external handler. That action is shouting "security hazard" all the way
Wouldn't that introduce quite a bit of bloat?
If you are fighting bloat, Moz shouldnt include this "feature" at all. But if someone writes code for this (rarely useful, but dangerous) feature, you better disable it by default.
Here'show it works:
You predict the next security flaw,exploit etc etc etc and what product it will hit. Apache buffer overflow (smart money says don't pick that one), Word vulernability etc. This could be cool.
Dibs on Wednesday IE exploit.
I boycott signatures
The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made.
It was hardly a stupid decision. Passing unhandled URIs to the OS is a perfectly acceptable thing to do. Unless you think that handling things like ed2k: URIs and other yet-to-be-invented URIs is a bad thing.
Perhaps the URI handler built into the OS needs a local versus foreign flag..
There is a big difference between the degree of risk I take with upgrading Firefox and the major overhaul that SP2 is going to turn out being. Sorry but this hypocrite isn't buying your assertion.
I don't want knowledge. I want certainty. - Law, David Bowie
emacs will hit version 1.0 when it can shake the programmer's hand, look him in the eye and say "I'm ready."
I suspect a great many apps have (until recently) just blithely passed commands that have user input into ShellExecute(). Obviously, you can't do that, a fairly clever user can figure out how to get someone else to run a command on their system without their explicit consent. Note that MSDN doesn't mention anything about the possible security implications of it, which is why MS is being blindsided by it. Now, a ton of apps use ShellExecute(), it is the recommended way to launch the correct web browser on a user's system. What I did in my app was before calling ShellExecute(), extract the protocol and compare it against a whitelist of allowed protocols. In my case, I only allowed http, https, mailto, and ftp. If it wasn't one of those four, I just didn't do anything.
That's becaues it's NOT a bug in mozilla, it's a massive security hole in Windows. Mozilla finally decided to patch it for mozilla because MS was too damned lazy to fix it. As we now see, this massive windows hole affects other products too. Of course, NO other platform has this particular security hole (surprise surprise...)
If your flash plugin had a security hole, would you expect Mozilla, Opera, IE, etc to filter certain access so that security hole could't be exploited?
No, MS is responsible for the security of their own products.
No. It's saying "I have a URI I don't know what to do with." This is how non-http URI's work to launch external views such as real player with RTSP:// and such.
Creating a URI handler to execute shell commands is boneheaded. The Mozilla guys knew this but MS failed to fix it. And now we have more MS apps that don't work around this stupid thing. Any guess as to how much other software doesn't block access to this massive windows security hole?
About the only thing the Mozilla team did wrong is underestimate the stupidity of MS.
Uh, I've been doing it for IE and MSN Messenger for the past few weeks - since I was forced to switch from W2K to Windows XP at work.
/savecred /env /user:veryrestricteduser "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
/env (use current user's environment) what you need to do is allow the restricted user write access to your IE required directories- e.g. Favorites, Cookies, Local Settings.
/env and run IE in the veryrestricteduser's environment and allow your normal user read access (and probably write access) to the veryrestricteduser's environment/profile. Then you don't have to allow the veryrestricteduser access to your normal user's directories. The more finely grained ACLs on Windows NTFS could make certain things more convenient.
/savecred on Win2K, so you need to enter the password everytime you launch the shortcut for Win2K or WinXP Home. Savecred works on WinXP Pro.
Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.
My shortcut for IE is:
C:\WINDOWS\system32\runas.exe
Because of the
Alternatively you could remove the
The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.
You'll probably want to change the icon back to one of the IE icons.
The runas thing is klunkier than setuid and you can't do
If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.
It's nothing to do with the browser. Read the bug report. Find and read the relevant MSDN article, if you like. It is not even a bug in Windows. Windows does not pass the security information between partitions.