MSN, Word Vulnerable To Shell: URI Exploit 392
LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."
Re:Goes to show... (Score:5, Informative)
Already fixed? (Score:5, Informative)
Re:Word 2004 for OSX Safe? (Score:5, Informative)
That flaw was fixed with the 2004-06-07 security update [apple.com].
Re:Quite a coincidence (Score:5, Informative)
shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.
Re:Quite a coincidence (Score:3, Informative)
shell: is handled by Windows itself. The browser simply passed the URI on to be dealt with, as Microsoft programmers intended.
Although there were concerns about allowing the browser to hand off unrecognized URIs to the underlying operating system two years ago, this particular exploit was recognized and patched within a day, by preventing Mozilla from passing shell: stuff on.
Basically, it's an exploitable Windows function that could be accessed through Mozilla and other programs written to allow such things.
Another successful shot in the foot from Redmond.
Re:Fixed in SR2? (Score:5, Informative)
Re:Haha (Score:5, Informative)
Mozilla Bug 163767 (Score:4, Informative)
Re:Fixed in SR2? (Score:5, Informative)
What other programs are vulnerable? (Score:5, Informative)
All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.
Re:Already fixed? (Score:5, Informative)
shell:windows\explorer.exe
Re:Can only allow programs to be run... (Score:4, Informative)
Fixed in Word 2003 (Score:5, Informative)
Insert > Hyperlink
shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)
Critical Error Dialog pops up
Opening "shell:explorer.exe"
Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
Yes | No
Pressed Yes and nothing to happened.
Re:Word 2004 for OSX Safe? (Score:5, Informative)
The real threat was the fact that programs could auto-register a new protocol that would be "handled" by a program contained within said disk image. Linking to exploit:// (as an example) would then launch the program that had registered itself as the handler for the made-up protocol. Thus, clicking on a link would run the program.
In any case, that Security Update did indeed fix it by asking the user the first time a new protocol's handler was added.
Re:Goes to show... (Score:3, Informative)
have a project that's been stable for years and it hasn't hit 1.0 yet.
It's worth noting that, technically, Emacs hasn't gone 1.0 yet either. The version is really 0.21 - it's just that they've been in the minor version numbers for so long now nobody refers to it that way anymore. Is Emacs incomplete? Lacking functionality perhaps? Apparently yes.
Jedidiah.
Re:Can we call them beleaguered now? (Score:3, Informative)
Re:Fixed in Word 2003 (Score:3, Informative)
For me, shell:windows\explorer.exe works in Start - Run, but shell:explorer.exe does not.
Hyperlinks can be harmful to your computer and data.
Umm.
Does it give the same warning for http hyperlinks?
Re:Goes to show... (Score:1, Informative)
Re:A NEW BUG!!! (Score:3, Informative)
Re:What other programs are vulnerable? (Score:5, Informative)
I got an IM from someone at Microsoft thanking me for the post on Full Disclosure. Microsoft earned a little respect from me today.
Re:Can only allow programs to be run... (Score:3, Informative)
Re:Mozilla Bug 163767 (Score:3, Informative)
Re:Goes to show... (Score:5, Informative)
Creating a URI handler to execute shell commands is boneheaded. The Mozilla guys knew this but MS failed to fix it. And now we have more MS apps that don't work around this stupid thing. Any guess as to how much other software doesn't block access to this massive windows security hole?
About the only thing the Mozilla team did wrong is underestimate the stupidity of MS.
Been there done that. (Score:5, Informative)
Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.
My shortcut for IE is:
C:\WINDOWS\system32\runas.exe
Because of the
Alternatively you could remove the
The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.
You'll probably want to change the icon back to one of the IE icons.
The runas thing is klunkier than setuid and you can't do
If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.
Re:Emacs on version 21.3 (Score:3, Informative)
Re:Mozilla is Slow to Respond! (Score:3, Informative)