MSN, Word Vulnerable To Shell: URI Exploit

LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."

Re:Goes to show...

[Frizzle Fry]

The article is short on details. Does this really work on xp sp2? I know that xp sp2 protected against the Mozilla exploit, so I would imagine the same is true here. Which would make your claim that these sorts of things are only fixed "in the open source world" seem pretty specious.

Already fixed?

[Marxist Hacker 42]

I just tried it in Microsoft Word 2002, with XP SP1 and all of the approved hotfixes for my agency, and it restricted it just fine- wouldn't even recognize it as a hotlink.

Re:Word 2004 for OSX Safe?

[Alex Brasetvik]

Mac OS X' Safari had a very similar flaw, where one could use disk:// to mount a disk image, which could execute whatever it wanted to.

That flaw was fixed with the 2004-06-07 security update [apple.com].

Re:Quite a coincidence

[LostCluster]

It's not as much a bug but a dumb feature.

shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.

Re:Quite a coincidence

[Platinum Dragon]

It's not reasonable at all, if I understand the nature of the shell: exploit in Mozilla.

shell: is handled by Windows itself. The browser simply passed the URI on to be dealt with, as Microsoft programmers intended.

Although there were concerns about allowing the browser to hand off unrecognized URIs to the underlying operating system two years ago, this particular exploit was recognized and patched within a day, by preventing Mozilla from passing shell: stuff on.

Basically, it's an exploitable Windows function that could be accessed through Mozilla and other programs written to allow such things.

Another successful shot in the foot from Redmond.

Re:Fixed in SR2?

[IoN_PuLse]

According to newsforge, it took "barely a day" for Mozilla to release new builds and patches. [newsforge.com]

Re:Haha

[IoN_PuLse]

Actually, it was their source that was the root of the problem in the first place. The whole "shell" thing is only in windows, unfortunately the article titles lead people to believe that it is a problem with Mozilla across all platforms, when in reality it only affects those running on a Windows platform.

Mozilla Bug 163767

[Sweetshark]

While bug 250180 is pretty new, bug 163767 is ancient (08-2002) and describes the same problem, although being a bit more generic. I wouldnt shout too loud about fast bugfixing in OSS in this particular case. Although the bug is more a bug of Windows broken-by-design handling of URIs it still should have been fixed (or the features needed for the bug to work should have been disabled by default.)

Re:Fixed in SR2?

[afidel]

More like 2 years . The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made. The decision was made recently to switch from a blacklist system to a whitelist system. This happened to coincide with lots of people switching to FireFox for security reasons and all of the sudden there was a patch to change the default behavior.

What other programs are vulnerable?

[jesser]

I'm the one who posted this message [netsys.com] to Full Disclosure. I was too lazy to test all popular e-mail clients, IM clients, word processors, etc. that run on Windows, so I posted after finding only two vulnerable programs. Who wants to help?

All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.

Re:Already fixed?

[jesser]

You're using the wrong URL. It's

shell:windows\explorer.exe

Re:Can only allow programs to be run...

[TrancePhreak]

Considering it doesn't allow you to pass parameters as mentioned by the article, all of that would be very hard to accomplish.

Fixed in Word 2003

[AzrealAO]

Microsoft Word 2003 w/Latest Updates.

Insert > Hyperlink
shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)

Critical Error Dialog pops up

Opening "shell:explorer.exe"

Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
Yes | No

Pressed Yes and nothing to happened.

Re:Word 2004 for OSX Safe?

[System.out.println()]

That's not quite accurate. The disk:// protocol was a part of the exploit, but that protocol did not allow a website to run anything - only to auto-mount a disk or disk image.

The real threat was the fact that programs could auto-register a new protocol that would be "handled" by a program contained within said disk image. Linking to exploit:// (as an example) would then launch the program that had registered itself as the handler for the made-up protocol. Thus, clicking on a link would run the program.

In any case, that Security Update did indeed fix it by asking the user the first time a new protocol's handler was added.

Re:Goes to show...

[Coryoth]

The Xine maintainers, who must all be insane,
have a project that's been stable for years and it hasn't hit 1.0 yet.

It's worth noting that, technically, Emacs hasn't gone 1.0 yet either. The version is really 0.21 - it's just that they've been in the minor version numbers for so long now nobody refers to it that way anymore. Is Emacs incomplete? Lacking functionality perhaps? Apparently yes.

Jedidiah.

Re:Can we call them beleaguered now?

[Phroggy]

Yes. [infoworld.com]

Re:Fixed in Word 2003

[jesser]

shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)

For me, shell:windows\explorer.exe works in Start - Run, but shell:explorer.exe does not.

Hyperlinks can be harmful to your computer and data.

Umm.

Does it give the same warning for http hyperlinks?

Re:Goes to show...

[Anonymous Coward]

For you information, SP2 beta can be only installed on ENGLISH (or german) version of Windows XP (pro). I am running finnish languaged Home edition and haven't been able to test SP2 because of that.

Re:A NEW BUG!!!

[fireman sam]

No, mozilla / IE / MSN / Word are NOT asking the Windows to "execute this program" they are asking Windows to "handle this URI I don't know what to do with"

Re:What other programs are vulnerable?

[jesser]

I did not contact Microsoft before posting on Full Disclosure. I thought posting to Full Disclosure would encourage Microsoft to fix the hole in Windows rather than forcing every software vendor to work around it using a whitelist or blacklist. Maybe I was wrong about that. I felt that all software vendors should be given an equal chance to fix the hole if they want to be safe running on unpatched versions of Windows. I was frustrated that Mozilla looked bad because of a Windows hole that affected a large number fof programs.

I got an IM from someone at Microsoft thanking me for the post on Full Disclosure. Microsoft earned a little respect from me today.

Re:Can only allow programs to be run...

[DeadMeat (TM)]

There's an explanation here [seclists.org] of how it could be used to exploit buffer overflows in apps.

Re:Mozilla Bug 163767

[Ice_Balrog]

No. Bug 163767 simple warns that should there ever be a Windows exploit with the shell: protocol handler, Mozilla will be vulnerable. At the time there was no such Windows exploit, but even then they made it so that you would have to manually invoke the shell: protocol handler (by clicking a link). When an exploit in Windows was found, Mozilla finally decided to fix it for MS, by completely disabling shell:.

Re:Goes to show...

[walt-sjc]

No. It's saying "I have a URI I don't know what to do with." This is how non-http URI's work to launch external views such as real player with RTSP:// and such.

Creating a URI handler to execute shell commands is boneheaded. The Mozilla guys knew this but MS failed to fix it. And now we have more MS apps that don't work around this stupid thing. Any guess as to how much other software doesn't block access to this massive windows security hole?

About the only thing the Mozilla team did wrong is underestimate the stupidity of MS.

Been there done that.

[TheLink]

Uh, I've been doing it for IE and MSN Messenger for the past few weeks - since I was forced to switch from W2K to Windows XP at work.

Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.

My shortcut for IE is:
C:\WINDOWS\system32\runas.exe /savecred /env /user:veryrestricteduser "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

Because of the /env (use current user's environment) what you need to do is allow the restricted user write access to your IE required directories- e.g. Favorites, Cookies, Local Settings.

Alternatively you could remove the /env and run IE in the veryrestricteduser's environment and allow your normal user read access (and probably write access) to the veryrestricteduser's environment/profile. Then you don't have to allow the veryrestricteduser access to your normal user's directories. The more finely grained ACLs on Windows NTFS could make certain things more convenient.

The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.

You'll probably want to change the icon back to one of the IE icons.

The runas thing is klunkier than setuid and you can't do /savecred on Win2K, so you need to enter the password everytime you launch the shortcut for Win2K or WinXP Home. Savecred works on WinXP Pro.

If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.

Re:Emacs on version 21.3

[jrumney]

The trolls are wrong. If Emacs had stuck to its original numbering scheme, it would be on 1.21, not 0.21. From ONEWS.1:

Changes in Emacs 13

* There is a new version numbering scheme.

What used to be the first version number, which was 1, has been discarded since it does not seem that I need three levels of version number.

However, a new third version number has been added to represent changes by user sites. This number will always be zero in Emacs when I distribute it; it will be incremented each time Emacs is built at another site.

Re:Mozilla is Slow to Respond!

[Krach42]

Yeah, "NO other platform has this particular security hole"... um... yeah... except that the underlying cause of the hole is the same problem that exists with the OSX URI handling code, and thus, every single MacOS browser was exploitable by this type of "feature" until Apple fixed the real problem.