MSN, Word Vulnerable To Shell: URI Exploit 392
LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."
Fixed in SR2? (Score:3, Funny)
Re:Fixed in SR2? (Score:4, Funny)
Microsoft will surely fix this in no more than 2 "Microsoft" Days which is around 6 months for the rest of Earth's population.
Re:Fixed in SR2? (Score:5, Informative)
Re:Mozilla is Slow to Respond! (Score:5, Insightful)
If your flash plugin had a security hole, would you expect Mozilla, Opera, IE, etc to filter certain access so that security hole could't be exploited?
No, MS is responsible for the security of their own products.
Re:Mozilla is Slow to Respond! (Score:3, Insightful)
Do you know the first rule of secure programming?
DO NOT trust input data.
If browser gets data and blindly passes it to the OS, well.. that's a bad browser. I don't see MS fault at all.
Re:Mozilla is Slow to Respond! (Score:5, Insightful)
Re:Mozilla is Slow to Respond! (Score:4, Insightful)
First there shouldn't even be a shell uri in the OS! Second, there is a vulnerability IN THE SHELL URI which escalates the priv level to that of the user.
If Mozilla passed the data along and said, here ya go it's good stuff, completely trusted. That would be one thing, but mozilla passes it along and says I have no clue what this is or where it's coming from and have no reason to believe it safe in any fashion. You have any ideas?
If it's the RIGHT data, then windows tells itself it was the current user and not some untrusted guy off the web who gave it that data. The bug is in windows!
Hell the entire scheme or uri handling in windows is fscked up. There shouldn't be any uris which cause local execution!
Re:Mozilla is Slow to Respond! (Score:3, Informative)
Re:Mozilla is Slow to Respond! (Score:4, Interesting)
Finger pointing? Name calling towards Redmond? You are _severely_ misrepresenting this bug.
(to those curious: please read the bug info for yourself!)
I'm sorry, but if it takes 24 days to get past the name calling when confronted with a security flaw deemed major, OSS doesn't stand a chance.
I'd maybe lend more credibility to your statement if you weren't the bug submitter (and thus very biased). It might be major to you, but few people will be affected by this problem because a) not many people use compressed drives and b) not everyone runs windows. Don't expect people to run over and pat you on the back for finding a bug. If you think getting bugs fixed in a proprietary software company is always straightforward, then I wonder if you have experience working for a proprietary software company.
OTOH if it is very important to you or your company that this bug is fixed, why not pay someone to fix it?
Re:Mozilla is Slow to Respond! (Score:3)
There will be differences of opinion. It can be even worse to rush into fixing the wrong problems prematurely than just ignoring them if they don't seem to be doing any harm.
That said, it seems that this, and its exploit potential, has been "known" for quite some time, with a fair chance that some black hats are a bit annoyed that some of their repetoire has been e
Re:Mozilla is Slow to Respond! (Score:3, Insightful)
I don't understand what the problem is here. The OS in OSS means "Open Source". You have the source so (if you have the ability) you can fix the bug - and if you are civic minded enough you can submit your patch and give something back to the project. This is why OSS does stand a chance.
"Use the SOURCE Luke"
Mozilla Bug 163767 (Score:4, Informative)
Re:Mozilla Bug 163767 (Score:4, Insightful)
Every application that uses this scheme is vulnerable.
Maybe someone should check to see if IE has this "bug" as well.
Re:Mozilla Bug 163767 (Score:5, Interesting)
Thats very probable since this is more a "metabug" in Windows - that might get fixed in SP2.
So, perhaps Mozilla should have "bug fixes" for every windows flaw that they uncover?
No. They should just disable unsecure stuff by default. Thats one of the strong points of Mozilla. They did write code at some point that passes some unfiltered, unchecked data from the web on to some external handler. That action is shouting "security hazard" all the way
Wouldn't that introduce quite a bit of bloat?
If you are fighting bloat, Moz shouldnt include this "feature" at all. But if someone writes code for this (rarely useful, but dangerous) feature, you better disable it by default.
Re:Mozilla Bug 163767 (Score:3, Funny)
What, disable the Windows builds? But what about all the people wanting to switch from IE?
NB: this was an attempt a humor
Re:Mozilla Bug 163767 (Score:3, Insightful)
And the whole reason the browser is passing it is because it's NOT a known uri type (who would expect there to be a shell uri, what kind of idiot comes up with the brilliant idea for a shell uri to begin with?).
This is windows, remember that most uri types aren't documented. Since we are only talking about unknown datatypes, it's a safe bet
Re:A NEW BUG!!! (Score:3, Informative)
Re:Mozilla Bug 163767 (Score:3, Informative)
Re:Fixed in SR2? (Score:5, Informative)
Re:Fixed in SR2? (Score:5, Interesting)
It was hardly a stupid decision. Passing unhandled URIs to the OS is a perfectly acceptable thing to do. Unless you think that handling things like ed2k: URIs and other yet-to-be-invented URIs is a bad thing.
Perhaps the URI handler built into the OS needs a local versus foreign flag..
Re:Fixed in SR2? (Score:3, Insightful)
So you're saying that it's ok for Microsoft to wait two years to fix it?
I didn't think so.
indiana jones quote (Score:3, Funny)
Indy: "Who?"
Intelligence Guy: "Top... Men..."
Haha (Score:2, Funny)
=P
Re:Haha (Score:5, Informative)
Comment removed (Score:5, Insightful)
Re:Goes to show... (Score:5, Informative)
Re:Goes to show... (Score:3, Funny)
Re:Goes to show... (Score:3, Insightful)
Good. Go download it [microsoft.com]. Or don't. But at least don't be a hypocrite like half the people here and say that sp2 "doesn't count" until it reaches final release form, while firefox "counts" even though it's also in pre-release form (not even at 1.0 yet). Sort of like when people claim that IE on xp doesn't have popup blocking but firefox does.
Re:Goes to show... (Score:5, Insightful)
have a project that's been stable for years and it hasn't hit 1.0 yet. If Firefox suddenly released 2.0 would it sudenly be more mature? How about 3.0? What's the magic happy number? THERE IS NONE. You have to gauge each vendor, and each application, by a consistent set of rules and just forget what version number the marketing people decided it should have.
Re:Goes to show... (Score:3, Informative)
have a project that's been stable for years and it hasn't hit 1.0 yet.
It's worth noting that, technically, Emacs hasn't gone 1.0 yet either. The version is really 0.21 - it's just that they've been in the minor version numbers for so long now nobody refers to it that way anymore. Is Emacs incomplete? Lacking functionality perhaps? Apparently yes.
Jedidiah.
Re:Goes to show... (Score:5, Funny)
Re:Emacs on version 21.3 (Score:3, Funny)
Seriously, though - WTF do they want for feature completeness? Emacs is a kernel & a decent text editor away from being an operating system in its own right.
Re:Emacs on version 21.3 (Score:3, Informative)
Re:Goes to show... (Score:5, Insightful)
There is a big difference between the degree of risk I take with upgrading Firefox and the major overhaul that SP2 is going to turn out being. Sorry but this hypocrite isn't buying your assertion.
Re:Goes to show... (Score:3, Insightful)
Um, well, the difference here, my friend, is that one is an upgrade for an application (Mozilla Firefox), and the other is an upgrade for an entire operating system (Windows XP). One risks the ability to browse , the other risks the ability to boot .
Prudent people might be willing to risk blowing up their pre-release browser for functionality and security, while not be willing to risk blowing up their entire OS with a pre-release patch just to get their browser updated...
Re:Goes to show... (Score:3, Insightful)
Well, when Microsoft can do the equivalent of:
Run old version.
Install new version.
Run new version.
Decide you don't like it and reinstall old version.
It's not a level playing field. Half-baked open source "counts" whereas Microsoft's "almost" doesn't. Works like the beta of alpha-beta statistical errors.
Re:Goes to show... (Score:5, Insightful)
Anyway, SP2's memory protection would have prevented the overflow attack. It would not have prevented the most general (and less harmful) form of the attack, however.
What the original poster was probably meaning, if he had a point at all, was that non-Windows systems don't do this sort of "command-line-as-a-protocol" bullshit because it's quite obviously the wrong way to do things. Security through obscurity works in a lot of cases because people think "nobody would EVER design an OS that did THIS" and they never bother to look. Well, now someone's looked and found an ancient kludge coded by someone who probably doesn't even work for MS anymore. And more man-hours are going into fixing this bug than would have gone into creating a proper implementation of whatever this goober was trying to accomplish in the first place.
That said, Open Source isn't pixie dust that makes everything happy and secure. Stupid things happen in Linux. They just happen in the open where people can find them and fix them before applications start relying on them to function.
Re:Goes to show... (Score:3, Insightful)
Hello Mr. Time Traveller (Score:2)
I kI know that xp sp2 protected against the Mozilla exploit
Are you posting from the future, sometime like september? Which might be after sp2 is finally released [slashdot.org], because given MS's history just because something is fixed in the beta doesn't mean it will make the final cut.
only fixed "in the open source world" seem pretty specious
That's not what was said and you know it.
Re:Goes to show... (Score:5, Informative)
Creating a URI handler to execute shell commands is boneheaded. The Mozilla guys knew this but MS failed to fix it. And now we have more MS apps that don't work around this stupid thing. Any guess as to how much other software doesn't block access to this massive windows security hole?
About the only thing the Mozilla team did wrong is underestimate the stupidity of MS.
My mind is spinning (Score:2, Funny)
Re:My mind is spinning (Score:2, Funny)
Open Source vs. Microsoft (Score:4, Insightful)
Re:Open Source vs. Microsoft (Score:3, Funny)
Not as fast as the FUD they'll put out.
Re:Open Source vs. Microsoft (Score:3, Insightful)
Word 2004 for OSX Safe? (Score:5, Interesting)
Aj
GroupShares Inc. [groupshares.com] - A Free and Interactive Stock Market Community
Re:Word 2004 for OSX Safe? (Score:4, Insightful)
Re:Word 2004 for OSX Safe? (Score:5, Informative)
That flaw was fixed with the 2004-06-07 security update [apple.com].
Re:Word 2004 for OSX Safe? (Score:3, Interesting)
This has been the biggest continuing problem with Windows security for most of the past decade, and I'm sick of it.
Re:Word 2004 for OSX Safe? (Score:5, Insightful)
On Windows I don't believe you can register a new protocol unless you actually execute a program. If there was a bug that allowed new protocols to be registered it would pretty much mean it is a bug that allowed arbitrary code to be executed, which would be a huge hole whether or not protocols could be registered.
Re:Word 2004 for OSX Safe? (Score:3, Insightful)
That's the first I've heard of it.
The disk: URL would map a n internet enabled disk image into the file system in a known place, and a following file: URL would execute code from the disk. This is the same kind of privilege escalation as on the Windows exploit that involved knowning the name of the temporary file that a web page or mail message was stored in, and then providing a file: URL that would load it
Re:Word 2004 for OSX Safe? (Score:5, Informative)
The real threat was the fact that programs could auto-register a new protocol that would be "handled" by a program contained within said disk image. Linking to exploit:// (as an example) would then launch the program that had registered itself as the handler for the made-up protocol. Thus, clicking on a link would run the program.
In any case, that Security Update did indeed fix it by asking the user the first time a new protocol's handler was added.
Re:Word 2004 for OSX Safe? (Score:5, Insightful)
Quite a coincidence (Score:4, Funny)
If it's non-obvious and contrived, is it reasonable to assume that Microsoft could be lifting, or at least peeking at, code from the mozilla project and replicating it in their own browser?
Naw; if that were true, IE wouldn't suck so much.
Re:Quite a coincidence (Score:5, Informative)
shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.
Re:Quite a coincidence (Score:3, Informative)
shell: is handled by Windows itself. The browser simply passed the URI on to be dealt with, as Microsoft programmers intended.
Although there were concerns about allowing the browser to hand off unrecognized URIs to the underlying operating system two years ago, this particular exploit was recognized and patched within a day, by preventing Mozilla from passing shell: stuff on.
Basically, it's an exploitable Windows fun
Re:Quite a coincidence (Score:2)
Already fixed? (Score:5, Informative)
Re:Already fixed? (Score:2)
Re:Already fixed? (Score:2)
Re:Already fixed? (Score:5, Informative)
shell:windows\explorer.exe
Fixed in Word 2003 (Score:5, Informative)
Insert > Hyperlink
shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)
Critical Error Dialog pops up
Opening "shell:explorer.exe"
Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
Yes | No
Pressed Yes and nothing to happened.
Re:Fixed in Word 2003 (Score:3, Informative)
For me, shell:windows\explorer.exe works in Start - Run, but shell:explorer.exe does not.
Hyperlinks can be harmful to your computer and data.
Umm.
Does it give the same warning for http hyperlinks?
Can only allow programs to be run... (Score:5, Interesting)
Re:Can only allow programs to be run... (Score:2)
Instead of having code in there that waits till a certain time to activate (which could be detected by a host based IDS) or needs to download another component from rooted server x (that could be blocked at the router or local firewall level) there would be nothing wrong, and then sudenly all over
Re:Can only allow programs to be run... (Score:2, Interesting)
For example, FORMAT c: \Y or something similar to bypass the fail-safe that the FORMAT command had?
Re:Can only allow programs to be run... (Score:3, Informative)
DOS and social engineering (Score:3, Interesting)
I can also use launching apps to say I'm from MS, Yahoo, etc and tell the user to login and change their password (among other things). What user will say "I see you can run apps remotely on my computer but I know this is just the shell URI problem!"
>Or am I just reading this wrong?
Yeah, you're thinking like a techie and not a user. Problem #1 in the industry and here as well.
Re:Can only allow programs to be run... (Score:2, Funny)
Re:Can only allow programs to be run... (Score:4, Informative)
Ready...set...GO (Score:4, Insightful)
I don't see a patch posted with this story so I guess there's no way Microsoft can win the patch-speed race for this bug - all we will be able to do is place bets on just how much slower Microsoft is. Predictions, anyone?
Re:Ready...set...GO (Score:4, Interesting)
Now we know. (Score:2, Interesting)
Misinformation... (Score:5, Interesting)
(Score: -1, Troll)
I find it interesting how they talk about "no exposure to malicious attackers", as if their products are magically invulnerable until someone discloses the hole to the public.
Two words come to mind (Score:3, Funny)
Does it also count as the obligatory Simpson's quote?
Can we call them beleaguered now? (Score:2)
Re:Can we call them beleaguered now? (Score:3, Informative)
Difference between MS and the rest (Score:5, Insightful)
I think the handling of this problem demonstrates the difference between Microsoft software and other software like Mozilla. In Mozilla, the problem didn't even require a real patch to fix, just a quick config setting to tell it not to pass things along to the shell: handler. My bet is that fixing Word etc. will require not just multiple registry changes but actual new code to allow shell: to be disabled. And odds on the first thing they try is to just add filters, and we'll see half a dozen iterations of exploits of this using different ways past the filters until MS finally includes a patch to allow it to be disabled.
In Microsoft's Defense... (Score:5, Interesting)
I created a shell link inside Office Word 2003 and when I clicked it I was warned that the hyperlink contained a potentially dangerous target and that I should only proceed if I trusted the source of the document. This warning does not appear for http, https, ftp, or other common "safe" protocols.
I do not have MSN available for testing.
What other programs are vulnerable? (Score:5, Informative)
All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.
'Run' has this flaw too! (Score:3, Funny)
Re:What other programs are vulnerable? (Score:3, Interesting)
And, let's face it, they were using this as an opportunity to squelch the recent rash of switches from IE to Mozilla. They deserve to be hit
Re:What other programs are vulnerable? (Score:5, Informative)
I got an IM from someone at Microsoft thanking me for the post on Full Disclosure. Microsoft earned a little respect from me today.
Re:What other programs are vulnerable? (Score:3, Insightful)
(I didn't see anyone say that on Full Disclosure.)
You're wrong. Neither of the programs I tested raised a warning dialog. A newer version of Word does, though, as pointed out by several Slashdotters.
In neither case does the link "self execute" -- you need to ation on it to cause the problem.
The only action re
URI!? (Score:3, Funny)
Mozilla flaw? (Score:5, Insightful)
Re:Mozilla flaw? (Score:3, Insightful)
Of course, they could whitelist, say "Okay, only telnet:, ssh:, and aim: can go through." But this r
Misleading title - "...Mozilla flaw" (Score:5, Insightful)
"Microsoft products also vulnerable to Mozilla flaw"
If it was a Mozilla flaw to start with, my linux boxes would be vulnerable. I know its picky, but the title is not accurate IMHO as Mozilla is being used to take advantage of a Windows feature, rather than the flaw itself existing in Mozilla.
Re:Misleading title - "...Mozilla flaw" (Score:5, Interesting)
http://secunia.com/advisories/12043/
It starts out as a "Sun Java Predictable File Location Weakness"
Then, further down in the advisory....
A PoC (Proof of Concept) exploit has been published, which:
1) Uses the weakness in Sun Java to create a temporary file.
2) Exploits a file enumeration vulnerability to find the name of the temporary file (100,000 possible combinations).
SA10820
3) Exploits a Cross-Zone vulnerability and uses the inherently insecure Windows "shell:" functionality:
SA11793
Solution:
Use another browser than Microsoft Internet Explorer.
Alternatively disable Active Scripting in Internet Explorer.
If you do not use Internet Explorer, this issue is not considered a security problem.
Run as a separate user! (Score:5, Interesting)
The special user would have greatly reduced permissions, which would prevent these exploits from being useful. This user could not execute anything but designated plugins, and could not save files except to a designated area.
Why has this not been tried?
Been there done that. (Score:5, Informative)
Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.
My shortcut for IE is:
C:\WINDOWS\system32\runas.exe
Because of the
Alternatively you could remove the
The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.
You'll probably want to change the icon back to one of the IE icons.
The runas thing is klunkier than setuid and you can't do
If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.
Even more reason.... (Score:5, Insightful)
Maybe its about time for some people to concider some alternate producivity suites - not just openoffice - even some suites like Corel have some intriguing software that lacks the user base of microsoft.
Rant>./rant
On a sidenote.. Corel lost a big share of its market to MS Office around the same time Netscape was crushed by IE. I remember my highschool used Corel at the time. Netscape was very smart to start the Mozilla Foundation insead of trying to beat MS, they are letting their supporters promote for them, gaining them some brand awareness if nothing else. Perhaps It wouldn't be so strange if Corel was to support a open source initiative, or merge with OpenOffice. The next best thing since frozen coffee for the computer geeks would be firefox and corel. Corel could sure use some geek to geek praising around now
For those of you not very firmiliar with Corel, at one point they were doing fairly well, then they kinda fell thru - had to lay off alot of people and are now trying to get back into the market.. but I personally think they face the same fate as Netscape.
In the real world, If you loose a customer, it takes twice as long to get that customer to come back to your business, and that customer is a big factor keeping other possible business from you, as they will tell at least 10 people of their experiance.
Based on this, even old Corel users would be hesitant or unwilling to switch back to Corel -so Corel needs a new movement. Open source anyone
Dying Proprietary Software + Open Source = Improved Code + Brand Awareness + "PROFIT" (Donations, Memberships? Support? and Smart Usage Of Your Brand Recognition)
With so many software companies expected to bust with news of the markets this week, I wouldn't be surprised to see a few new related open source projects pop up.
Rant> logout
Price is Right Rules (Score:5, Funny)
Here'show it works:
You predict the next security flaw,exploit etc etc etc and what product it will hit. Apache buffer overflow (smart money says don't pick that one), Word vulernability etc. This could be cool.
Dibs on Wednesday IE exploit.
Shell - it's USEFUL in Word (Score:3, Interesting)
Hmm, ShellExecute() the problem? (Score:5, Interesting)
It is a little premature (Score:3, Insightful)
Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers,
Unless the SECUNIA people are stupid, launching an app from within another app is what every Microsoft Application is able to do and has been able to do for many years. However I do not think that such feature exists for Microsoft products only. What I am having a hard time distingushing is between Secunia trying to stay on the news and a real vulnerability here. I am not saying it might not exist, but as of this moment I do not see anyone able to run a Shell() command within your app, unless they have gotten to your app, which means they have gotten to your computer already. Also this has existed for a long time. Why now? I might be completely wrong however, and someone at Secunia knows something they are not sharing. I advise them to share any info as soon as possible. The reason I am a little pissed is because in my company I have thousands of Word and Excel documents with thousands of lines of VBA code. With news like this, I smell a panic meeting early in the morning tomorrow which might be nothing more than FUD from Secunia. Honestly I am at a point where I am having a hard time trusting anyone anymore. Hackers want to be my security gurus, OS makers rant and rave about their respective OSes and how secure and reliable they are(only to issue security patches soon after), whole campaigns asking people to boycot a product because of vulnerabilities and use X product, only to find out that X is vulnerable as well. If you look at the stack of firewalls and security appliances at my company, it looks like we're building the walls of damn Troy. I joke with the security guys about the kind of attack they are preparing against. There is hope of course.....but how long before it's too late?
shell:fdisk (Score:3, Funny)
shell:win
shell:deltree%20y%20\
shell:deltree/20y/20\
shell:"deltree y \"
Damn - I'll have to install windoze just to give it a try!
no command prompt? use batch files! (Score:3, Funny)
Anybody tried this on WINE? (Score:4, Interesting)
I don't have WINE installed on my system, or the time to install and configure it, but since WINE re-implements the Windows API, wouldn't it have the function that Mozilla/IE/Word call to execute shell: URLs? Has anybody tested this vulnerability in WINE? Does anybody care what the results are?
Ian
I know you're a troll, but... (Score:4, Insightful)
This is not a flaw in Mozilla, nor is it a flaw in IE, Outlook, Word, or any other part of Microsoft Office.
This flaw is a flaw in Windows, and is typical of flaws in Windows in that the OS is expecting it's applications to handle security, will run any peice of crap handed to it by any app, and we can expect to see more flaws that are similar in nature due to the heavily integrated design of the Windows operating system.