Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Bug Operating Systems Security Software Windows

MSN, Word Vulnerable To Shell: URI Exploit 392

LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."
This discussion has been archived. No new comments can be posted.

MSN, Word Vulnerable To Shell: URI Exploit

Comments Filter:
  • by djtripp ( 468558 ) <.moc.liamg. .ta. .ppirtjd.> on Monday July 12, 2004 @07:45PM (#9681246) Homepage Journal
    Well at least Mozilla will fix theirs...
    • by ROOK*CA ( 703602 ) on Monday July 12, 2004 @07:50PM (#9681300)
      Mozilla already fixed this vulnerabilty (Mozilla 1.7.1 & FireFox 0.92) took what 3 or 4 days after it was discovered ?

      Microsoft will surely fix this in no more than 2 "Microsoft" Days which is around 6 months for the rest of Earth's population.
      • Mozilla Bug 163767 (Score:4, Informative)

        by Sweetshark ( 696449 ) on Monday July 12, 2004 @08:12PM (#9681464)
        While bug 250180 is pretty new, bug 163767 is ancient (08-2002) and describes the same problem, although being a bit more generic. I wouldnt shout too loud about fast bugfixing in OSS in this particular case. Although the bug is more a bug of Windows broken-by-design handling of URIs it still should have been fixed (or the features needed for the bug to work should have been disabled by default.)
        • by fireman sam ( 662213 ) on Monday July 12, 2004 @08:19PM (#9681527) Homepage Journal
          So, perhaps Mozilla should have "bug fixes" for every windows flaw that they uncover? Wouldn't that introduce quite a bit of bloat?

          Every application that uses this scheme is vulnerable.

          Maybe someone should check to see if IE has this "bug" as well.

          • by Sweetshark ( 696449 ) on Monday July 12, 2004 @08:35PM (#9681634)
            Maybe someone should check to see if IE has this "bug" as well.
            Thats very probable since this is more a "metabug" in Windows - that might get fixed in SP2.
            So, perhaps Mozilla should have "bug fixes" for every windows flaw that they uncover?
            No. They should just disable unsecure stuff by default. Thats one of the strong points of Mozilla. They did write code at some point that passes some unfiltered, unchecked data from the web on to some external handler. That action is shouting "security hazard" all the way ....
            Wouldn't that introduce quite a bit of bloat?
            If you are fighting bloat, Moz shouldnt include this "feature" at all. But if someone writes code for this (rarely useful, but dangerous) feature, you better disable it by default.
            • "They should just disable unsecure stuff by default."

              What, disable the Windows builds? But what about all the people wanting to switch from IE?

              NB: this was an attempt a humor
            • Mozilla passes it with the appropriate security level, indicated it's unfiltered unchecked data coming from the web. They are doing exactly what they are supposed to.

              And the whole reason the browser is passing it is because it's NOT a known uri type (who would expect there to be a shell uri, what kind of idiot comes up with the brilliant idea for a shell uri to begin with?).

              This is windows, remember that most uri types aren't documented. Since we are only talking about unknown datatypes, it's a safe bet
        • No. Bug 163767 simple warns that should there ever be a Windows exploit with the shell: protocol handler, Mozilla will be vulnerable. At the time there was no such Windows exploit, but even then they made it so that you would have to manually invoke the shell: protocol handler (by clicking a link). When an exploit in Windows was found, Mozilla finally decided to fix it for MS, by completely disabling shell:.
      • Re:Fixed in SR2? (Score:5, Informative)

        by afidel ( 530433 ) on Monday July 12, 2004 @08:15PM (#9681485)
        More like 2 years . The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made. The decision was made recently to switch from a blacklist system to a whitelist system. This happened to coincide with lots of people switching to FireFox for security reasons and all of the sudden there was a patch to change the default behavior.
        • Re:Fixed in SR2? (Score:5, Interesting)

          by prockcore ( 543967 ) on Monday July 12, 2004 @08:39PM (#9681669)
          The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made.

          It was hardly a stupid decision. Passing unhandled URIs to the OS is a perfectly acceptable thing to do. Unless you think that handling things like ed2k: URIs and other yet-to-be-invented URIs is a bad thing.

          Perhaps the URI handler built into the OS needs a local versus foreign flag..
  • by Jrod5000 at RPI ( 229934 ) on Monday July 12, 2004 @07:45PM (#9681247)
    Intelligence Guy: "We have top men working on it right now."
    Indy: "Who?"
    Intelligence Guy: "Top... Men..."
  • Haha (Score:2, Funny)

    by mboverload ( 657893 )
    Looks like Microsoft has been copying some source


    • Re:Haha (Score:5, Informative)

      by IoN_PuLse ( 788965 ) on Monday July 12, 2004 @08:07PM (#9681423) Homepage
      Actually, it was their source that was the root of the problem in the first place. The whole "shell" thing is only in windows, unfortunately the article titles lead people to believe that it is a problem with Mozilla across all platforms, when in reality it only affects those running on a Windows platform.
  • Goes to show... (Score:5, Insightful)

    by cloudkj ( 685320 ) on Monday July 12, 2004 @07:45PM (#9681251)
    ... what gets patched in the open source world gets exploited further in the proprietary world. MS should probably pay more attention to projects like Mozilla... it might save them a lot of time and effort in the long run.
    • Re:Goes to show... (Score:5, Informative)

      by Frizzle Fry ( 149026 ) on Monday July 12, 2004 @07:49PM (#9681280) Homepage
      The article is short on details. Does this really work on xp sp2? I know that xp sp2 protected against the Mozilla exploit, so I would imagine the same is true here. Which would make your claim that these sorts of things are only fixed "in the open source world" seem pretty specious.
      • Oh good, I'll go and download SP2 then... What's that? It's been delayed to mid-August? Oh dear!
        • Oh good, I'll go and download SP2 then

          Good. Go download it [microsoft.com]. Or don't. But at least don't be a hypocrite like half the people here and say that sp2 "doesn't count" until it reaches final release form, while firefox "counts" even though it's also in pre-release form (not even at 1.0 yet). Sort of like when people claim that IE on xp doesn't have popup blocking but firefox does.

          • Re:Goes to show... (Score:5, Insightful)

            by Anonymous Coward on Monday July 12, 2004 @08:31PM (#9681608)
            Okay, I'll bite. Some of us have a standard of stability and completeness, totally independent of version numbers. Was Internet Explorer 1.0 a happy, complete, stable application? Is Firefox 0.9.1? I think you're fooling yourself if you think version numbers provide any sort of yardstick of the readiness-to-use of an application. I personally won't use ANY Microsoft product in a production (read: at work) environment until it has at least TWO service packs. Windows, Office, SQL, SMS, doesn't matter. Microsoft's standard is "it's 1.0 when we need to release it. it's sp2 when it's ready for prime time". Not all companies are the same way. Corel has yet to release a product ready for prime time, and WordPerfect's up to 12 or so. Cisco, when motivated, can get things done right in the first release. Open Source projects all have their own standards. Firefox 0.9.1 is much more mature and ready for prime-time than the latest PR or SP2. The Xine maintainers, who must all be insane,
            have a project that's been stable for years and it hasn't hit 1.0 yet. If Firefox suddenly released 2.0 would it sudenly be more mature? How about 3.0? What's the magic happy number? THERE IS NONE. You have to gauge each vendor, and each application, by a consistent set of rules and just forget what version number the marketing people decided it should have.
            • Re:Goes to show... (Score:3, Informative)

              by Coryoth ( 254751 )
              The Xine maintainers, who must all be insane,
              have a project that's been stable for years and it hasn't hit 1.0 yet.

              It's worth noting that, technically, Emacs hasn't gone 1.0 yet either. The version is really 0.21 - it's just that they've been in the minor version numbers for so long now nobody refers to it that way anymore. Is Emacs incomplete? Lacking functionality perhaps? Apparently yes.

              • by Anonymous Coward on Monday July 12, 2004 @09:47PM (#9682150)
                emacs will hit version 1.0 when it can shake the programmer's hand, look him in the eye and say "I'm ready."
          • Re:Goes to show... (Score:5, Insightful)

            by Flower ( 31351 ) on Monday July 12, 2004 @08:39PM (#9681670) Homepage
            You damn well bet it doesn't count here at work. My patching an application is entirely different than upgrading the OS with a beta service pack. I would have to go through all our departments, make sure I tweak the upgrade so it doesn't break any of the services that make us money and then go through the whole deal again once the official release is out.

            There is a big difference between the degree of risk I take with upgrading Firefox and the major overhaul that SP2 is going to turn out being. Sorry but this hypocrite isn't buying your assertion.

          • Um, well, the difference here, my friend, is that one is an upgrade for an application (Mozilla Firefox), and the other is an upgrade for an entire operating system (Windows XP). One risks the ability to browse , the other risks the ability to boot .

            Prudent people might be willing to risk blowing up their pre-release browser for functionality and security, while not be willing to risk blowing up their entire OS with a pre-release patch just to get their browser updated...

          • Re:Goes to show... (Score:3, Insightful)

            by Tony-A ( 29931 )
            But at least don't be a hypocrite like half the people here and say that sp2 "doesn't count" until it reaches final release form, while firefox "counts" even though it's also in pre-release form

            Well, when Microsoft can do the equivalent of:
            Run old version.
            Install new version.
            Run new version.
            Decide you don't like it and reinstall old version.

            It's not a level playing field. Half-baked open source "counts" whereas Microsoft's "almost" doesn't. Works like the beta of alpha-beta statistical errors.
      • Re:Goes to show... (Score:5, Insightful)

        by Anonymous Coward on Monday July 12, 2004 @08:04PM (#9681402)
        The URI exploit in its general form is mitigated by the fact that you can't pass any command-line arguments to the command. So you can launch a bunch of Notepads, so what? However, you CAN type a filename in and have it open in its associated application. If that filename is too long, you can exploit a buffer overflow in the helper application. There happens to be a plentitude of client applications on a standard XP box with buffer overflow possibilities. Once you're there, go anywhere you want with the privileges of the user on the XP box (which is usually admin, and if not, you can usually get admin without a lot of effort).

        Anyway, SP2's memory protection would have prevented the overflow attack. It would not have prevented the most general (and less harmful) form of the attack, however.

        What the original poster was probably meaning, if he had a point at all, was that non-Windows systems don't do this sort of "command-line-as-a-protocol" bullshit because it's quite obviously the wrong way to do things. Security through obscurity works in a lot of cases because people think "nobody would EVER design an OS that did THIS" and they never bother to look. Well, now someone's looked and found an ancient kludge coded by someone who probably doesn't even work for MS anymore. And more man-hours are going into fixing this bug than would have gone into creating a proper implementation of whatever this goober was trying to accomplish in the first place.

        That said, Open Source isn't pixie dust that makes everything happy and secure. Stupid things happen in Linux. They just happen in the open where people can find them and fix them before applications start relying on them to function.
      • I kI know that xp sp2 protected against the Mozilla exploit

        Are you posting from the future, sometime like september? Which might be after sp2 is finally released [slashdot.org], because given MS's history just because something is fixed in the beta doesn't mean it will make the final cut.

        only fixed "in the open source world" seem pretty specious

        That's not what was said and you know it.

  • Aren't we over our bugs-o-the-day limit?
  • by ZZeta ( 743322 ) on Monday July 12, 2004 @07:48PM (#9681273)
    Well now, let's see how long it takes for their patch to come out.
  • by artlu ( 265391 ) <artlu AT artlu DOT net> on Monday July 12, 2004 @07:49PM (#9681278) Homepage Journal
    Anyone know if Word 2004 for OSX is safe from the URI exploit? I know that the macs have been having trouble with the URI exploit over the past few months based on some articles I've read at macslash.

    GroupShares Inc. [groupshares.com] - A Free and Interactive Stock Market Community
    • by afidel ( 530433 ) on Monday July 12, 2004 @07:52PM (#9681310)
      Well since the Mozilla URI exploit was specific to XP I would imagine that these exploits would likewise be limited to a vulnerable OS.
    • by Alex Brasetvik ( 554885 ) <<moc.kivtesarb> <ta> <xela>> on Monday July 12, 2004 @07:54PM (#9681322)
      Mac OS X' Safari had a very similar flaw, where one could use disk:// to mount a disk image, which could execute whatever it wanted to.

      That flaw was fixed with the 2004-06-07 security update [apple.com].

      • The problem in Mac OS X wasn't fixed. Only the particular symptom of it that produced the disk: and help: vulnerabilities. The underlying design flaw, that of having a single set of protocol and application bindings for both trusted and untrusted objects, still exists in both Windows and Mac OS X.

        This has been the biggest continuing problem with Windows security for most of the past decade, and I'm sick of it.
        • by spitzak ( 4019 ) on Monday July 12, 2004 @08:52PM (#9681773) Homepage
          This is not really accurate. The Mac had a unique exploit, in that something a url did would "register" a new protocol handler. The page could then send a request for that protocol and it could execute arbitrary code supplied by the page. The second step is equivalent to the shell exploit, but without the first part it is limited to executing code already installed on the system (not that this is good, but it does not seem as bad...)

          On Windows I don't believe you can register a new protocol unless you actually execute a program. If there was a bug that allowed new protocols to be registered it would pretty much mean it is a bug that allowed arbitrary code to be executed, which would be a huge hole whether or not protocols could be registered.
          • The Mac had a unique exploit, in that something a url did would "register" a new protocol handler.

            That's the first I've heard of it.

            The disk: URL would map a n internet enabled disk image into the file system in a known place, and a following file: URL would execute code from the disk. This is the same kind of privilege escalation as on the Windows exploit that involved knowning the name of the temporary file that a web page or mail message was stored in, and then providing a file: URL that would load it
      • by System.out.println() ( 755533 ) on Monday July 12, 2004 @08:31PM (#9681618) Journal
        That's not quite accurate. The disk:// protocol was a part of the exploit, but that protocol did not allow a website to run anything - only to auto-mount a disk or disk image.

        The real threat was the fact that programs could auto-register a new protocol that would be "handled" by a program contained within said disk image. Linking to exploit:// (as an example) would then launch the program that had registered itself as the handler for the made-up protocol. Thus, clicking on a link would run the program.

        In any case, that Security Update did indeed fix it by asking the user the first time a new protocol's handler was added.
    • A URI exploit in Word is a relatively minor issue, so long as Word contains a macro language that can execute arbitrary code. It's kind of like worrying about whether you left the stove on when you're fleeing because there's a cruise missile targeting your home.
  • by cookie_cutter ( 533841 ) on Monday July 12, 2004 @07:50PM (#9681291)
    How obscure is this bug?

    If it's non-obvious and contrived, is it reasonable to assume that Microsoft could be lifting, or at least peeking at, code from the mozilla project and replicating it in their own browser?

    Naw; if that were true, IE wouldn't suck so much.

    • by LostCluster ( 625375 ) * on Monday July 12, 2004 @07:55PM (#9681335)
      It's not as much a bug but a dumb feature.

      shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.

    • It's not reasonable at all, if I understand the nature of the shell: exploit in Mozilla.

      shell: is handled by Windows itself. The browser simply passed the URI on to be dealt with, as Microsoft programmers intended.

      Although there were concerns about allowing the browser to hand off unrecognized URIs to the underlying operating system two years ago, this particular exploit was recognized and patched within a day, by preventing Mozilla from passing shell: stuff on.

      Basically, it's an exploitable Windows fun
    • Yeah, I'm sure that Moz code will work in IE without having to hack it together at all.... Or not.
  • Already fixed? (Score:5, Informative)

    by Marxist Hacker 42 ( 638312 ) <seebert42@gmail.com> on Monday July 12, 2004 @07:50PM (#9681295) Homepage Journal
    I just tried it in Microsoft Word 2002, with XP SP1 and all of the approved hotfixes for my agency, and it restricted it just fine- wouldn't even recognize it as a hotlink.
    • nah, you see, what you have to do is go insert>hyperlink and paste something like shell:c:\windows\explorer.exe in the hyperlink box and then click ok. It will then pass the unknown protocal off to windows like mozilla did and windows will answer. Only works on windows NT,2000, and XP though.
      • I get "Cannot Find shell:c:\windows\explorer.exe". And yes, I doublechecked Explorer.exe's location. The fact that the error message is including "shell:" tells me that it's simply not interpreting the protocol correctly in Word 2002, XP SP1. Might work in Office 2000 though, or some other version, YMMV. Of course, the State of Oregon is too cash poor to provide contractors with Office 2003.....
        • Re:Already fixed? (Score:5, Informative)

          by jesser ( 77961 ) on Monday July 12, 2004 @08:18PM (#9681514) Homepage Journal
          You're using the wrong URL. It's

          • Fixed in Word 2003 (Score:5, Informative)

            by AzrealAO ( 520019 ) on Monday July 12, 2004 @08:25PM (#9681572)
            Microsoft Word 2003 w/Latest Updates.

            Insert > Hyperlink
            shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)

            Critical Error Dialog pops up

            Opening "shell:explorer.exe"

            Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
            Yes | No

            Pressed Yes and nothing to happened.
            • by jesser ( 77961 )
              shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)

              For me, shell:windows\explorer.exe works in Start - Run, but shell:explorer.exe does not.

              Hyperlinks can be harmful to your computer and data.


              Does it give the same warning for http hyperlinks?
  • by NightWulf ( 672561 ) on Monday July 12, 2004 @07:52PM (#9681306)
    According to the article "Malicious hackers could launch programs associated with specific extensions using links embedded in Word documents or instant messages sent using MSN. However, the vulnerability does not allow attackers to pass instructions to the programs..." Now call me crazy, and I know i'll probably piss off the microsoft hating people here, but what harm is there really? What's some "hacker" gonna do, open up Acdsee and show my porn collection to well...me? Maybe pop open a few dozen IE windows or programs to force me to reboot? If there's nothing else being transferred it's really just more of a nuisance than something major. Or am I just reading this wrong?
    • how about a worm or virus spreads for a few months and lies dormant so nobody notices, nobody issues AV patches, then the attacker(s) use this URI exploit to trigger the nasty payload in one swell 15 minute swoop.

      Instead of having code in there that waits till a certain time to activate (which could be detected by a host based IDS) or needs to download another component from rooted server x (that could be blocked at the router or local firewall level) there would be nothing wrong, and then sudenly all over
    • The article is rather vague on this point. The could mean that Hackers cannot pass command line parameters to the programs, which would probably make the bug more of a nusance. OTOH, they could mean that once started, they cannot interface with the text window/GUI. This would be a big deal to me, because as I mentioned, it might allow them to pass command line parameters when starting it.

      For example, FORMAT c: \Y or something similar to bypass the fail-safe that the FORMAT command had?
    • There's an explanation here [seclists.org] of how it could be used to exploit buffer overflows in apps.
    • Obviously, I can DOS your computer by overtaking your resources by running some app a bazillion times.

      I can also use launching apps to say I'm from MS, Yahoo, etc and tell the user to login and change their password (among other things). What user will say "I see you can run apps remotely on my computer but I know this is just the shell URI problem!"

      >Or am I just reading this wrong?

      Yeah, you're thinking like a techie and not a user. Problem #1 in the industry and here as well.
  • Ready...set...GO (Score:4, Insightful)

    by linuxwrangler ( 582055 ) on Monday July 12, 2004 @07:55PM (#9681337)
    By the time the Mozilla story was posted on Slashdot the fix was already available - the link was even posted with the story.

    I don't see a patch posted with this story so I guess there's no way Microsoft can win the patch-speed race for this bug - all we will be able to do is place bets on just how much slower Microsoft is. Predictions, anyone?
  • Now we know. (Score:2, Interesting)

    by azuretongue ( 180140 )
    Now we know wether the shell scheme bug was in the OS or the application :)
  • Misinformation... (Score:5, Interesting)

    by Dwonis ( 52652 ) * on Monday July 12, 2004 @07:59PM (#9681363)
    "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed," the company said in an e-mail statement.

    (Score: -1, Troll)

    I find it interesting how they talk about "no exposure to malicious attackers", as if their products are magically invulnerable until someone discloses the hole to the public.

  • by peragrin ( 659227 ) on Monday July 12, 2004 @08:00PM (#9681373)
    HA HA

    Does it also count as the obligatory Simpson's quote?
  • I mean c'mon, WebSideStory confirmed it today and all.
  • by Todd Knarr ( 15451 ) on Monday July 12, 2004 @08:06PM (#9681420) Homepage

    I think the handling of this problem demonstrates the difference between Microsoft software and other software like Mozilla. In Mozilla, the problem didn't even require a real patch to fix, just a quick config setting to tell it not to pass things along to the shell: handler. My bet is that fixing Word etc. will require not just multiple registry changes but actual new code to allow shell: to be disabled. And odds on the first thing they try is to just add filters, and we'll see half a dozen iterations of exploits of this using different ways past the filters until MS finally includes a patch to allow it to be disabled.

  • by SnprBoB86 ( 576143 ) on Monday July 12, 2004 @08:11PM (#9681459) Homepage
    (that subject is a great way to get modded down)

    I created a shell link inside Office Word 2003 and when I clicked it I was warned that the hyperlink contained a potentially dangerous target and that I should only proceed if I trusted the source of the document. This warning does not appear for http, https, ftp, or other common "safe" protocols.

    I do not have MSN available for testing.
  • by jesser ( 77961 ) on Monday July 12, 2004 @08:16PM (#9681497) Homepage Journal
    I'm the one who posted this message [netsys.com] to Full Disclosure. I was too lazy to test all popular e-mail clients, IM clients, word processors, etc. that run on Windows, so I posted after finding only two vulnerable programs. Who wants to help?

    All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.
    • If you open the run dialog and type shell:windows\notepad.exe it opens it. That means Run has this flaw too!
  • URI!? (Score:3, Funny)

    by DonniKatz ( 623845 ) on Monday July 12, 2004 @08:19PM (#9681525) Homepage
    As the University of Rhode Island (URI) University College Representative in the Student Senate, I can assure you that no student at the University of Rhode Island is exploiting Microsoft Word... we're only pirating it.....
  • Mozilla flaw? (Score:5, Insightful)

    by ScriptGuru ( 574838 ) on Monday July 12, 2004 @08:24PM (#9681560)
    The Article's title is: Microsoft products also vulnerable to Mozilla flaw That is gross misinfomation, it should be something along the lines of "Microsoft products allow exploit of OS flaw, similar to Mozilla." The flaw itself is in the Windows operating system. It exposes access to shell functions that applications need to blacklist. Application developers shouldn't need to be concerned with "Oh, I need to stop that protocol for security." It should be the protocol developer's responsibility to say "Is this safe?"
  • by Slashcrunch ( 626325 ) on Monday July 12, 2004 @08:25PM (#9681573) Homepage
    The title is quite misleading on first glance.

    "Microsoft products also vulnerable to Mozilla flaw"

    If it was a Mozilla flaw to start with, my linux boxes would be vulnerable. I know its picky, but the title is not accurate IMHO as Mozilla is being used to take advantage of a Windows feature, rather than the flaw itself existing in Mozilla.
    • by tonyr60 ( 32153 ) * on Monday July 12, 2004 @08:46PM (#9681726)
      How about this one...

      It starts out as a "Sun Java Predictable File Location Weakness"

      Then, further down in the advisory....

      A PoC (Proof of Concept) exploit has been published, which:

      1) Uses the weakness in Sun Java to create a temporary file.

      2) Exploits a file enumeration vulnerability to find the name of the temporary file (100,000 possible combinations).

      3) Exploits a Cross-Zone vulnerability and uses the inherently insecure Windows "shell:" functionality:

      Use another browser than Microsoft Internet Explorer.

      Alternatively disable Active Scripting in Internet Explorer.

      If you do not use Internet Explorer, this issue is not considered a security problem.
  • by qseep ( 14218 ) on Monday July 12, 2004 @08:25PM (#9681577)
    It seems logical that the solution to many of these browser exploits is to run the browser with a separate set of OS permissions, i.e. as a separate user. This could be done using setuid under Unix. I don't know how it's accomplished on Windows.

    The special user would have greatly reduced permissions, which would prevent these exploits from being useful. This user could not execute anything but designated plugins, and could not save files except to a designated area.

    Why has this not been tried?
    • by TheLink ( 130905 ) on Tuesday July 13, 2004 @02:53AM (#9683586) Journal
      Uh, I've been doing it for IE and MSN Messenger for the past few weeks - since I was forced to switch from W2K to Windows XP at work.

      Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.

      My shortcut for IE is:
      C:\WINDOWS\system32\runas.exe /savecred /env /user:veryrestricteduser "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

      Because of the /env (use current user's environment) what you need to do is allow the restricted user write access to your IE required directories- e.g. Favorites, Cookies, Local Settings.

      Alternatively you could remove the /env and run IE in the veryrestricteduser's environment and allow your normal user read access (and probably write access) to the veryrestricteduser's environment/profile. Then you don't have to allow the veryrestricteduser access to your normal user's directories. The more finely grained ACLs on Windows NTFS could make certain things more convenient.

      The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.

      You'll probably want to change the icon back to one of the IE icons.

      The runas thing is klunkier than setuid and you can't do /savecred on Win2K, so you need to enter the password everytime you launch the shortcut for Win2K or WinXP Home. Savecred works on WinXP Pro.

      If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.

  • by Demanche ( 587815 ) <chris.h@rediffmail.com> on Monday July 12, 2004 @08:27PM (#9681582)
    To try out open source browsers like Firefox and Mozilla....

    Maybe its about time for some people to concider some alternate producivity suites - not just openoffice - even some suites like Corel have some intriguing software that lacks the user base of microsoft.


    On a sidenote.. Corel lost a big share of its market to MS Office around the same time Netscape was crushed by IE. I remember my highschool used Corel at the time. Netscape was very smart to start the Mozilla Foundation insead of trying to beat MS, they are letting their supporters promote for them, gaining them some brand awareness if nothing else. Perhaps It wouldn't be so strange if Corel was to support a open source initiative, or merge with OpenOffice. The next best thing since frozen coffee for the computer geeks would be firefox and corel. Corel could sure use some geek to geek praising around now ;)

    For those of you not very firmiliar with Corel, at one point they were doing fairly well, then they kinda fell thru - had to lay off alot of people and are now trying to get back into the market.. but I personally think they face the same fate as Netscape.
    In the real world, If you loose a customer, it takes twice as long to get that customer to come back to your business, and that customer is a big factor keeping other possible business from you, as they will tell at least 10 people of their experiance.
    Based on this, even old Corel users would be hesitant or unwilling to switch back to Corel -so Corel needs a new movement. Open source anyone ;)

    Dying Proprietary Software + Open Source = Improved Code + Brand Awareness + "PROFIT" (Donations, Memberships? Support? and Smart Usage Of Your Brand Recognition)

    With so many software companies expected to bust with news of the markets this week, I wouldn't be surprised to see a few new related open source projects pop up.

    Rant> logout
  • by funkdid ( 780888 ) on Monday July 12, 2004 @08:37PM (#9681659)
    How about we have a /. pool, with Price is Right Rules.

    Here'show it works:

    You predict the next security flaw,exploit etc etc etc and what product it will hit. Apache buffer overflow (smart money says don't pick that one), Word vulernability etc. This could be cool.

    Dibs on Wednesday IE exploit.

  • by Tsu Dho Nimh ( 663417 ) <.abacaxi. .at. .hotmail.com.> on Monday July 12, 2004 @10:07PM (#9682275)
    Considering that Word's macros might need to launch another app, by means of the Shell command, it's a feature, not a bug. I've used it frequently in macros. It became a vulnerability when Word was made "Internet aware" and started logging onto the net at every opportunity.
  • by mattgreen ( 701203 ) on Monday July 12, 2004 @10:26PM (#9682387)
    I suspect a great many apps have (until recently) just blithely passed commands that have user input into ShellExecute() [microsoft.com]. Obviously, you can't do that, a fairly clever user can figure out how to get someone else to run a command on their system without their explicit consent. Note that MSDN doesn't mention anything about the possible security implications of it, which is why MS is being blindsided by it. Now, a ton of apps use ShellExecute(), it is the recommended way to launch the correct web browser on a user's system. What I did in my app was before calling ShellExecute(), extract the protocol and compare it against a whitelist of allowed protocols. In my case, I only allowed http, https, mailto, and ftp. If it wasn't one of those four, I just didn't do anything.
  • by MagicBox ( 576175 ) on Monday July 12, 2004 @10:36PM (#9682450)
    to *bash* Microsoft yet again. The article clearly stated that

    Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers, .....

    Unless the SECUNIA people are stupid, launching an app from within another app is what every Microsoft Application is able to do and has been able to do for many years. However I do not think that such feature exists for Microsoft products only. What I am having a hard time distingushing is between Secunia trying to stay on the news and a real vulnerability here. I am not saying it might not exist, but as of this moment I do not see anyone able to run a Shell() command within your app, unless they have gotten to your app, which means they have gotten to your computer already. Also this has existed for a long time. Why now? I might be completely wrong however, and someone at Secunia knows something they are not sharing. I advise them to share any info as soon as possible. The reason I am a little pissed is because in my company I have thousands of Word and Excel documents with thousands of lines of VBA code. With news like this, I smell a panic meeting early in the morning tomorrow which might be nothing more than FUD from Secunia. Honestly I am at a point where I am having a hard time trusting anyone anymore. Hackers want to be my security gurus, OS makers rant and rave about their respective OSes and how secure and reliable they are(only to issue security patches soon after), whole campaigns asking people to boycot a product because of vulnerabilities and use X product, only to find out that X is vulnerable as well. If you look at the stack of firewalls and security appliances at my company, it looks like we're building the walls of damn Troy. I joke with the security guys about the kind of attack they are preparing against. There is hope of course.....but how long before it's too late?
  • shell:fdisk (Score:3, Funny)

    by HermanAB ( 661181 ) on Monday July 12, 2004 @10:47PM (#9682506)




    shell:"deltree y \"

    Damn - I'll have to install windoze just to give it a try!
  • by Tiuq ( 764881 ) on Monday July 12, 2004 @11:09PM (#9682641)
    At school the command prompt is disabled, and you can't right click and make a new batch file, and you can't rename the extensions so in order to run some commands all you have to do is write them in notepad, and then tell it save as "all files" and then give it the .bat extension. We sure did have a lot of fun with the netsends :P until someone put it in a loop and the teacher found out.
  • by ispeters ( 621097 ) <ispeters&alumni,uwaterloo,ca> on Monday July 12, 2004 @11:59PM (#9682847)

    I don't have WINE installed on my system, or the time to install and configure it, but since WINE re-implements the Windows API, wouldn't it have the function that Mozilla/IE/Word call to execute shell: URLs? Has anybody tested this vulnerability in WINE? Does anybody care what the results are?


Matter cannot be created or destroyed, nor can it be returned without a receipt.