New URI Browser Flaws Worse Than First Thought 149
narramissic writes "URI (Uniform Resource Identifier) bugs have become a hot topic over the past month, since researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox. Now, security researchers Billy Rios and Nathan McFeters say they've discovered a number of ways attackers could misuse the URI protocol handler technology to steal data from a victim's computer. 'It is possible through the URI to actually steal content form the user's machine and upload that content to a remote server of the attacker's choice,' said McFetters, a senior security advisor for Ernst & Young Global Ltd. 'This is all through functionality that the application provides.'"
Oh my (Score:5, Informative)
It is impossible to say whether this bug is really exploitable, whether it matters at all. So far they ("security researchers") can be only getting a free publicity. Is this news for nerds?
Re:Oh my (Score:2, Informative)
Think
callto://skypeuser?some¶ms&that&induce&sendin
Or something similar. I think the MS guy shouldn't have said "We at MS don't think we should be responsible for this" as it sounds like they *could* do something if they wanted. He really should have said "We can't stop stupid software makers being stupid. We can do bugger all about this." It's not often MS can legitimately pass the security buck, I'm surprised they didn't ride it for all it's worth this time.
Re:Oh my (Score:4, Informative)
The only thing that happens when people "claim" to have discovered an exploit without proof is that a lot of gullible people start panicking and unscrupulous reporters and bloggers who'll propagate the rumour for weeks. It's like yelling "fire" in a crowded room.
If they really have an exploit, they should just share it or STFU. There's enough garbage information on the internet as is, there's no need for them to the dung pile.
Re:Oh my (Score:4, Informative)
Re:Microsoft do it again (Score:3, Informative)
MacOSX has had a number of vulnerabilities due to URI handling:
Daring Fireball - Using the 'telnet' URI Protocol to Delete Files [daringfireball.net]
Mac OS X Volume URI Handler Registration Code Execution Vulnerability [secunia.com]
Apple Mac OS X SSH URI Handler Remote Code Execution Vulnerability [securityfocus.com]
As long as you can get a browser to pass arbitrary data to an application you will be vulnerable. What needs to happen is that the custom protocol handlers should be white-listed by default requiring the user to explicitly allow a new protocol handler. Any protocol handler not handled directly by the browser should display a dialog to inform the user of the action and permit them to cancel it. The user needs to be aware that they're not clicking on a "normal" hyperlink.
Ultimately I think the only way to really mitigate these kinds of security problems is to sandbox or virtualize the browser, which is actually what MS has done with IE7 in Vista. Vulnerabilities are inevitable so the OS and browser should do what it can to limit the extent of the damage that can be caused.
Want to disable it alltogether ? (Score:4, Informative)
set network.protocol-handler.expose-all to false,
network.protocol-handler.expose.http to true,
network.protocol-handler.expose.javascript to true,
network.protocol-handler.expose.mailto to true and
remove all other network.protocol-handler.expose.*entries (or set them to false).
Set network.protocol-handler.external-default to false,
network.protocol-handler.external.mailto to true and
remove all other network.protocol-handler.external.* entries (of set them to false).
To be sure set network.protocol-handler.warn-external.file to true and
remove all network.protocol-handler.warn-external.* entries (or set them to true).
For more info start at http://kb.mozillazine.org/Network.protocol-handle
Beware, on windows things are different. See http://kb.mozillazine.org/Register_protocol [mozillazine.org]
Re:Oh my (Score:5, Informative)
"On Windows XP some urls for "web" protocols that contain %00 launch the wrong
handler and appear to be able to launch local programs, with limited argument
passing. It is not yet clear that this can be used to compromise a machine but
we can always fear the worst.
The same behavior is observed using "Run" from the Windows Start menu for the
affected protocols (http, https, ftp, gopher, telnet, mailto, news, snews,
nttp, possibly others?).
The behavior seems to be that if there's a %00 in the URL for these schemes
then the URL Protocol handler is not called, instead the FileType handler is
called based on the extension of the full url. The url is then passed to that
File handler. For "non-web" URL handlers the URL is passed to the expected
handler.
In Firefox browser protocols are handled internally so are not vulnerable, but
the mailnews protocols are handed off to the OS and can be abused in this way."
====
So you can construct a uri like: "mailto:/...%00...something.exe"
Firefox sees mailto and hands it to Windows to give it to the mail program
Windows sees %00 and mistakenly hands it to the FileType handler.
The FileType handler sees ".exe" and runs the program.
Re:It's the Usual M$ Sabotage and FUD. (Score:3, Informative)
Surprisingly it's not a problem if Firefox isn't installed.
Re:Oh my (Score:2, Informative)
It seems that the injection mechanism is to use Firefox, but the exploit requires IE 7 to be installed on the victim's computer.
Interesting excerpts from the secwatch advisory:
In the comments to this article [betanews.com] a user by the name of kruador points out: And most importantly, he concludes with: Sounds like some registry hacking could solve the problem.Problem is not Firefox. (Score:3, Informative)
M$ Defender, Macthorpe claims what M$ won't directly:
Surprisingly it's not a problem if Firefox isn't installed.
Not even this highly spun article goes that far.
So IE, mentioned as "a browser", sends the crap to Firefox and will do the trick on it's own. Also, as we have seen before, this was not a problem before IE7 [slashdot.org].
Re:Care to provide details? (Score:3, Informative)
Re:Problem is not Firefox. (Score:2, Informative)
Re:Problem is not Firefox. (Score:3, Informative)
You can stop trying to imply that this is some sort of sabotage by Microsoft, considering they'd be sabotaging themselves in the process. No different to your dumb claim that they "sabotaged" ACPI.
Re:Problem is not Firefox. (Score:1, Informative)
Wait, let me get the steps straight here:
And somehow this is Microsoft's fault? Because Internet Explorer doesn't make uninformed assumptions about the format of the URIs for somebody else's protocols? Oh, and if Firefox isn't installed, step 4 fails, and IE simply displays a message to inform the user that the firefox:// protocol is unknown. The exploitable code is never run, because the exploitable code isn't installed. But that's still Microsoft's fault, simply because they exist, right?