Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Internet

New URI Browser Flaws Worse Than First Thought 149

narramissic writes "URI (Uniform Resource Identifier) bugs have become a hot topic over the past month, since researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox. Now, security researchers Billy Rios and Nathan McFeters say they've discovered a number of ways attackers could misuse the URI protocol handler technology to steal data from a victim's computer. 'It is possible through the URI to actually steal content form the user's machine and upload that content to a remote server of the attacker's choice,' said McFetters, a senior security advisor for Ernst & Young Global Ltd. 'This is all through functionality that the application provides.'"
This discussion has been archived. No new comments can be posted.

New URI Browser Flaws Worse Than First Thought

Comments Filter:
  • Oh my (Score:5, Informative)

    by zmotula ( 663798 ) on Thursday August 16, 2007 @04:11AM (#20246749) Homepage
    There is not a SINGLE technical detail about the bug in the article. The first paragraph pretty much says it all:

    Security researchers Billy Rios and Nathan McFeters say they've discovered a new way that the URI (Uniform Resource Identifier) protocol handler technology, used by Windows to launch programs through the browser, can be misused to steal data from a victim's computer.

    It is impossible to say whether this bug is really exploitable, whether it matters at all. So far they ("security researchers") can be only getting a free publicity. Is this news for nerds?
    • by jkrise ( 535370 )
      There is not a SINGLE technical detail about the bug in the article. The first paragraph pretty much says it all

      If you actually read through till the last para, you ill note that the bug has something to do with Microsoft, Registry, Internet Explorer and registering programs.
      • ... something to do with Microsoft, Registry, Internet Explorer

        That unholy trinity does not give me a warm and fuzzy feeling.

      • Re:Oh my (Score:5, Informative)

        by Intron ( 870560 ) on Thursday August 16, 2007 @09:07AM (#20248863)
        mozilla bug 389580

        "On Windows XP some urls for "web" protocols that contain %00 launch the wrong
        handler and appear to be able to launch local programs, with limited argument
        passing. It is not yet clear that this can be used to compromise a machine but
        we can always fear the worst.

        The same behavior is observed using "Run" from the Windows Start menu for the
        affected protocols (http, https, ftp, gopher, telnet, mailto, news, snews,
        nttp, possibly others?).

        The behavior seems to be that if there's a %00 in the URL for these schemes
        then the URL Protocol handler is not called, instead the FileType handler is
        called based on the extension of the full url. The url is then passed to that
        File handler. For "non-web" URL handlers the URL is passed to the expected
        handler.

        In Firefox browser protocols are handled internally so are not vulnerable, but
        the mailnews protocols are handed off to the OS and can be abused in this way."

        ====
        So you can construct a uri like: "mailto:/...%00...something.exe"
        Firefox sees mailto and hands it to Windows to give it to the mail program
        Windows sees %00 and mistakenly hands it to the FileType handler.
        The FileType handler sees ".exe" and runs the program.

        • In other words, it's a backdoor in the URI handler for Windows, and Microsoft is "educating" everybody to scrub inputs before passing things off to the backdoored handler.

          Great. MS became the "gatekeeper" to all networking security bugs in their OS when they integrated IE into the operating system back in 1997. This is easily fixed by not allowing the URI handler in the OS to behave strangely when given specific inputs (such as %00 and " ).

          In short, Microsoft should remove the backdoor. 'Nuff said.

          --
          Toro
    • Re: (Score:3, Insightful)

      There is not a SINGLE technical detail about the bug in the article.

      That's on purpose - they don't want their article to give hackers any real direction on how to exploit it. From TFA..."Rios and McFetters plan to release the results of their research after the vendor has had a chance to fix the problem".

      Yes, this is news for nerds - I know I'll be avoiding the URI protocol cautiously, if at all. I am duly informed. (Of course a real nerd would have known this already, so I have to turn in my card, I g

      • Re:Oh my (Score:4, Informative)

        by martin-boundary ( 547041 ) on Thursday August 16, 2007 @06:17AM (#20247247)

        That's on purpose - they don't want their article to give hackers any real direction on how to exploit it.
        Sorry, but that's bullshit. Anyone can say they discovered an exploit, heck I discovered 14 just today while brushing my teeth :)

        The only thing that happens when people "claim" to have discovered an exploit without proof is that a lot of gullible people start panicking and unscrupulous reporters and bloggers who'll propagate the rumour for weeks. It's like yelling "fire" in a crowded room.

        If they really have an exploit, they should just share it or STFU. There's enough garbage information on the internet as is, there's no need for them to the dung pile.

        • Re:Oh my (Score:4, Insightful)

          by CaymanIslandCarpedie ( 868408 ) on Thursday August 16, 2007 @07:33AM (#20247721) Journal
          Patience grasshopper, details will be released soon enough. Their method of reporting seems to be becoming kind of an accepted best practice for "responsible reporting" of bugs. I fully support ones right to just release day 0 exploit sample code if they so choose, though I don't think it's the best idea. It seems notifying the makers of effected software at roughly same time as releasing very high level information about the exploit is becoming the best way to both avoid in the wild attacks as well as ensure the issue is addressed.

          In this case, additional researchers have even verified the issue after the initial report. If you still don't believe there is an issue (fair enough it's good to be skeptical), you can always do a tad of research into these researches history to help decide if you think they are trustworthy or not. If still that isn't enough, well then I guess you'll have to just find these issues yourself and you can publish anything you want about them. Until then the researchers who find an issue should have the right to handle it any way they choose. They don't answer to you.

          It's like yelling "fire" in a crowded room.

          Seems more like they are more warning that there is a pile of debris in the room which could be a fire hazard. You suggestion would be more like noticing that fire hazard and deciding to dump gas on it and then toss on a match.
          • Re: (Score:3, Insightful)

            Why should the onus be on others to check their work for them? Can't they check their own work before making an announcement?

            It's very nice of them if they want to give the vendors time to fix their software, but they should announce their results _after_ the patch is ready in that case. Announcing early and claiming "responsible reporting" while not explaining enough for users to protect themselves is a publicity stunt.

            Here's a few things that I think are wrong with the "responsible reporting" idea: it

            • Re:Oh my (Score:4, Interesting)

              by CaymanIslandCarpedie ( 868408 ) on Thursday August 16, 2007 @08:30AM (#20248343) Journal
              These problems go away if the researchers either announce with proof ASAP, or if they announce once a patch is ready.

              I don't think either of those suggestions are "bad", just that sadly they have historically had thier own issues which at least in many peoples opinions outway the gains of those methods.

              "announce with proof ASAP" - sadly history shows that when this is done unscrupulous people will then take that knowledge and use it to create malware which can cause MAJOR damage. This is why there has been talk of even making this illegal (which I COMPLETELY disagree with). It is true that "with proof" a tiny percentage of the computer using population will be able to avoid the issue. However, the VAST majority still won't even hear of the issue (as they don't follow such news) let alone know what to do about it. The result is hackers are given the gift of complete knowledge of an exploit which many millions of computers and users will have no defense against.

              "announce once a patch is ready" - again sadly it has been shown over and over again that many (if not most) products will not put the urgency into a security fix unless there is public pressure to do so. This has certainly improved greatly over the last decade, but I still don't think we are at a point where we can trust them on this without pressure.

              There is a fairly popular variation on your second idea which is to notify the software developer but don't announce until you have given them reasonable time to patch it. This will give them the chance to do the "right thing" on thier own without the public pressure but researchers can still release the information later if they feel the patch is too long in coming.

              I actually do prefer that option, but there is the arguement that a company will never feel quite the sense of urgency as they would when an overview of the issue hits the media. And it follows that then the patch will take longer and someone less than altruistic could also find the same issue in the mean time and release an exploit.

              I don't have a real strong preference between the options of notify the software developers first and wait a reasonable amount of time, or notify and release high level overview at the same time. I'd actually probably have a slight preference for the former, but it does seem the later is the more popular. Probably for the reasons you give, that they want to be sure they are given the credit (and attention) of the find ;-)
      • Re: (Score:3, Insightful)

        by MikeBabcock ( 65886 )
        You don't need to provide a working example to explain the details. They could be saying something like:

        if you've installed vulnerable 3rd party url handlers, clicking malformed urls could lead to exploits

        in which case I don't care at all.

        I'm sure there are people who install 3rd party URL handlers as willy nilly as they install free screensavers and weather applets, but I don't, and neither should they, so again, I don't care.

        If on the other hand they're saying there's a URI parsing error in major browse

    • Re:Oh my (Score:4, Interesting)

      by Opportunist ( 166417 ) on Thursday August 16, 2007 @05:32AM (#20247083)
      I have a working example here on my desk. The problem is it's so effing trivial that it's not even funny. Unlike buffer overflows or other exploits that at least require some kind of understanding, this requires a trained monkey who can use a keyboard.

      I'm usually all for the spread of information, but this has the potential to be a scriptkiddy's wet dream. And as I've stated before, I don't fear the hacker, I fear the scriptkiddy. Not because he's smart, but because he's many and he drowns you simply with quantity, not quality.
      • Is your "working example" remotely installable?

        I am anxious to see how these guys plan to remotely install a URI handler into the registry without any user intervention, unless they are using some other remote exploit, in which case THAT is the actual bug.

        • Re: (Score:2, Insightful)

          by Anonymous Coward
          For those living under a rock: Many applications, including Firefox, install URI handlers by default. Many applications, including Firefox, have no or insufficient safeguards against dangerous URIs which are passed to them that way. Many applications, which render arbitrary remote data, can activate URI handlers with arbitrary URIs, often with no or trivial user interaction. If you think that is fine, you shouldn't dispense security advice.
          • The thing is: URIs are handled by the OS (in this case : Windows). It does not matter if you use Firefox, Internet Explorer, Word or OpenOffice: They all use the system's URI-handler.
        • Re: (Score:3, Informative)

          by Opportunist ( 166417 )
          Basically what it does is to make an assumption that a certain application exists on your system. An application that's exploitable through the use of malformed links, or malformed data hitting the application when you follow that link. Certainly, you are perfectly safe if you do not happen to have this application installed.
    • Re:Oh my (Score:4, Informative)

      by Fred_A ( 10934 ) <fred@ f r e dshome.org> on Thursday August 16, 2007 @06:43AM (#20247339) Homepage

      There is not a SINGLE technical detail about the bug in the article.
      Except that this is (yet again) a Windows only problem, a fact which the summary could have pointed out thus saving me the effort of browsing the article (and having to kill that stupid ad iframe I couldn't even close).

      • This is the clear indication of problem being a Windows only:

        ...Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox.

        Guess what is this mysterious "browser" thing.

        • by Fred_A ( 10934 )

          This is the clear indication of problem being a Windows only:

          ...Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox.


          Guess what is this mysterious "browser" thing.

          Are you trying to subtly imply that it isn't Opera ? Why I am shocked ! ;)
      • by KE1LR ( 206175 )
        Aha, the missing piece!


        1:Find ad popup code that can't be killed easily.
        2:Claim to Slashdot that you've discovered a trivial but really nasty browser exploit that nobody knows about, and provide a link to an article that says the same thing.
        3:Watch your ad views rack up.
        4:Profit!

      • by jdavidb ( 449077 ) *

        It'd also help if they'd clarify their terminology:

        a browser could be tricked into sending malformed data to Firefox.

        Firefox is a browser, last I checked. So if I'm not using another browser, no browsers will be sending any data to firefox, and I'll therefore be safe, right? This doesn't make any sense. What are they really trying to say?

      • Re: (Score:2, Informative)

        by jimbojw ( 1010949 )
        For anyone looking for more information about this problem, here you go:

        Here are some useful excerpts from the Cert advisory:

        Internet Explorer 7 has changed how Microsoft Windows parses URIs. This has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a U

    • Important details have been obscured on purpose to FUD Mozilla. I'm surprised they bothered to point out it's Windoze only in the first paragraph, but here's the glaring part of the FUD:

      Microsoft is working to educate users and developers about these security issues, but there's only so much that it can do, said Mark Griesi, a security program manager with Microsoft. "Security is an industry responsibility and this is certainly a case of that [principle]," he said. "It's not Microsoft's position to be th

      • Re: (Score:3, Informative)

        by Macthorpe ( 960048 )
        And yet this problem would be solved if Firefox didn't register a URI at all. Or it actually vetted data that was passed to that URI.

        Surprisingly it's not a problem if Firefox isn't installed.
        • M$ Defender, Macthorpe claims what M$ won't directly:

          Surprisingly it's not a problem if Firefox isn't installed.

          Not even this highly spun article goes that far.

          Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox using this technology. This bug allowed an attacker to run unauthorized software on a victim's PC. Later, other researchers, including Rios and McFetters, showed how other browsers and applications could be misused to achieve similar goals.

          So IE, mention

      • twitter, I'm sure anyone who reads Slashdot would be keenly interested in any specific information you have to share about this, so please specify exactly how Microsoft is sabotaging Firefox here.
  • FTA: (Score:5, Insightful)

    by tygerstripes ( 832644 ) on Thursday August 16, 2007 @04:14AM (#20246765)

    By using these custom URI protocol names, software developers are trying to make lives easier for their customers.
    The article also states that this is a "hacker's dream and a programmer's nightmare".

    When a similar problem kicked off with the firefox:// protocol in IE all anyone could say was "Why the hell would anyone use this?" The answer seemed to be along the lines of "Nobody does - it was a stupid thing to include in the first place."

    Sounds like the same problem to me - and unnecessary and unsuitable solution to a non-existent problem causing far worse problems. As the proverb goes: if it ain't broke, don't start shoe-horning new and unsecured protocol-handling into the registry.

    • Re: (Score:3, Interesting)

      by a.d.trick ( 894813 )

      Nobody does - it was a stupid thing to include in the first place

      First off, it was called firefoxurl://. Second, it is used - by Windows. This is part of what is required when registering a browser on that OS. It's pretty important if you want to set Firefox as the default browser.

      • This is part of what is required when registering a browser on that OS. It's pretty important if you want to set Firefox as the default browser.

        IE, this is a "shell" URI that should not be visible to non-trusted content *at all*.

        There need to be separate registries for this.

        OS X has the same problem, though at least there it doesn't include any equivalent to ActiveX, and the KHTML-based API makes it easier to implement a fix.

        http://www.scarydevil.com/~peter/io/apple.html [scarydevil.com]
        • How else is firefox supposed to handle protocols liek mailto on a Windows system? The problem is that the URI's shouldn't have been trusted in the first place. The fact that they can execute arbitrary commands is appalling!

          The fact that browsers have a protocol attached to them is bad taste, but it's also a red herring. The real problem is that URIs can execute arbitrary commands. Firefox has as much to do with this as a potato has to do with an airliner.

          • by argent ( 18001 )
            How else is firefox supposed to handle protocols liek mailto on a Windows system?

            Using the URI bindings provided for *untrusted* objects. Just like it would use the MIME type bindings for untrusted objects.

            The problem is that the URI's shouldn't have been trusted in the first place.

            Certainly not the ones that browsers use.

            The problem is not limited to URIs. There are also plugins, file-type mappings, MIME-type mappings, and so on. Most of these, no matter what type of binding they are, have nothing to do wi
    • if it ain't broke, don't start shoe-horning new and unsecured protocol-handling into the registry.

      Because we all know what a tight machine M$ gave us without help from firefox [slashdot.org]. Wake me up when this is more than a Windoze problem.

  • News? (Score:5, Interesting)

    by Opportunist ( 166417 ) on Thursday August 16, 2007 @04:17AM (#20246779)
    "It's a hacker's dream and programmer's nightmare," said Eric Schultze, chief security architect with Shavlik Technologies LLC. "I think over the next six to nine months, hackers are going to find lots of ways to exploit standard applications to do non-standard functions."

    That's not news. That's old. Actually it's nothing but a change in the ancient URL/URI trick where you trick the user into believing a link sends him somewhere else (akin to something like this: http://www.microsoft.com [gentoo.org]).

    The new part is that the URL/URI contains malformed links. Links, that don't just take you somewhere or offer you a torrent, but links that exploit a bug in your application. But it will hit the same group of people: Clickmonkeys who don't know what they're doing in the first place.
    • Re:News? (Score:5, Funny)

      by ozmanjusri ( 601766 ) <.moc.liamtoh. .ta. .bob_eissua.> on Thursday August 16, 2007 @04:50AM (#20246927) Journal
      Actually it's nothing but a change in the ancient URL/URI trick where you trick the user into believing a link sends him somewhere else (akin to something like this: www.microsoft.com.

      Thanks dude!

      I installed that update to XP, and now my computer runs like a dream. Microsoft finally got it right!

      • Re:News? (Score:4, Funny)

        by Opportunist ( 166417 ) on Thursday August 16, 2007 @05:18AM (#20247025)
        You should check out their new browser too, at IE7.com [ie7.com]. It's really amazing! I don't know what they did, but even the exploits that should work on Internet Explorer 7 don't!
      • Re:News? (Score:4, Funny)

        by tygerstripes ( 832644 ) on Thursday August 16, 2007 @05:34AM (#20247089)
        You installed Gentoo in less than 48 hours? Christ, how times change...
      • by iogan ( 943605 )

        Actually it's nothing but a change in the ancient URL/URI trick where you trick the user into believing a link sends him somewhere else (akin to something like this: www.microsoft.com.

        Thanks dude! I installed that update to XP, and now my computer runs like a dream. Microsoft finally got it right!
        Me too! It took most of the weekend, but it was well worth it... :)
    • When you hover over your example link, it shows where you are really going.

      When you use Evil JavaScript(tm) you can REALLY fuck with the user, who will have NO idea where the link goes, which is why tools like NoScript are so important. Don't surf naked - use NoScript [noscript.net]. Don't get me wrong, javascript can be useful, but so many sites use it gratuitously. They use it for things like roll-over highlighting, when CSS does it cleaner with less code. Most sites I visit seem to use javascript now. Less than half ac
      • JS is mostly used as a gadget to "enhance" a site (read: Make it so flashy that nobody notices the lack of content). Like so many other technologies that clutter our pages today.

        Take Flash. Yes, it can actually be put to good use. Pages have used it to really increase the usability and accessability of the content. But most just use it to create a flashy show to hide the lack of content or meaning.

        And yes, noscript and other security tools are important. But until this gets through to the clickmonkeys, it w
  • by JosefAssad ( 1138611 ) on Thursday August 16, 2007 @04:18AM (#20246783) Homepage
    Some of the discussion around this issue revolves around URI validation. Given that third parties can assign their own handlers, I don't think it's the browser's job to validate URIs, but it can provide the facilities to do so.

    It would probably just be simpler to disable this functionality by default; I suspect not many people are really using their browser to launch other applications or do much beyond straightforward browsing (you konqueror people are something completely different!), or at least not to any meaningful extent. Where they are, some form of URI whitelist could do the job.

    I don't think browsers are going to stop being capable of launching applications overnight; I fully acknowledge that a lot of enterprise systems rely on this. But it can certainly be done more responsibly.

    • I don't think browsers are going to stop being capable of launching applications overnight

      Then how about letting me, the user, decide? Instead of simply activating everything, ask me whether I want a certain application to launch? I think I remember seeing something like this in a browser, forgot which one it was... FF, I think.
      • In Opera:<br>
        click on a "special" link, like <URL:ed2k://|file|ubuntu-7.04-desktop-i386.[conten t.emule-project.net].iso|731797504|E239215147FA03E 5DB3D6C816291BFCA|/> (If you look at that URI, it's for an ed2k download of Ubuntu 7.04)<br>
        Opera says: "Would you like to open $PROGRAM to use this link?"
        • Re: (Score:1, Redundant)

          by Goaway ( 82658 )
          Yes, because asking "Would you like to open Firefox to use this link?" is such a clear indication that your system is about to be hacked.
    • Really? Because I use Konqueror's URI handlers for all of this: sftp, zip, tar, http, https, and ftp, and they are all useful. The problem with the Windows URI bug is that it allows an attacker to launch arbitrary programs, even programs without registered URI handlers, by passing arguments to certain registered programs (at least that is how I understand this vulnerability). It would be like using one of my KDE URI handlers to open a terminal; a malicious website could use that to start executing rando
      • by archen ( 447353 )
        Agreed, this is an extremely handy feature - especially when you consider the implications for integration with other applications. I created a database to track things on our network which worked pretty well. But then doing support remotely got to be a bit tedious since I would have to look up the info, cut and paste the computer name into $program, and so on. Now I can add handlers in firefox like rdesktop:// and vnc:// that allow it to fully integrate into a simple system.

        Better protections would be
    • What I find interesting is that Internet Explorer has, from the very beginning, had a little tab on its settings window to choose your preferred programs for the more common URI protocols like mail and news. So we've known for a long time that it is useful for browsers to be able to hand off non-http protocols to external programs, and that it's the sort of thing that a user might want to configure and customize themselves. How come these days it seems like all the management of that (in Windows at least) h
  • Whew... (Score:5, Funny)

    by Spy der Mann ( 805235 ) <spydermann.slash ... com minus distro> on Thursday August 16, 2007 @05:15AM (#20247015) Homepage Journal
    Good thing I use Firefox and not that "URI browser". I feel safe.
  • Yeah, yeah (Score:2, Flamebait)

    by nagora ( 177841 )
    It'll be a cold day in hell before I take security advice from a bunch of crooks like Ernst & Young. Presumably there's some obscure way they can make money out of this announcement.
  • This is just an expansion (or rehash) of the exploit using custom "protocol" prefixes (the http:/// [http] part). Now I must be on different intertubes than the rest of y'all, because I hardly ever (read: never) see anything but http, ftp and mailto in the links I use, and I build both public (as in gimmicky) web sites and business apps for a living. Anything else should be handled by a browser PLUGIN, not some creaky registry hack that can spawn any random process. The difference should be obvious: you can hav
    • It's called a URI (Score:4, Insightful)

      by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Thursday August 16, 2007 @07:23AM (#20247617)
      It's part of the protocol. Any link on any web page should be able to specify ANY protocol.

      Is anyone complaining that Konqeuror can handle links like sftp://root@someftpsite ?

      The whole article is stupid. It is going to come out that this is not remotely exploitable unless you use another remote exploit to install the 3rd party protocol handler.

      Non story.
      • It's not stupid. (Score:3, Interesting)

        by argent ( 18001 )
        The problem is that there's no way on Windows or OSX to register a protocol handler for shell programs (Finder, Windows Explorer, the KDE file manager) or applications internal use (help: on both Windows and OSX) without it also being available to the web browsers. This means that any application that isn't designed to deal with untrusted input that the browser developer hasn't yet explicitly blocked is a point of entry.

        Exploits using this approach have been found via IE since 1997, and via Safari since 200
        • by brunes69 ( 86786 )
          And in Konqueror since it was written, since it is designed this way.

          It is not the web browser's job to validate input into external URI handlers. It is the URI handler's job.
  • > Microsoft is working to educate users and developers about these security issues

    Yep. We know all about Microsoft's education*:

    In no event shall microsoft or its suppliers be liable for any special, incidental, punitive, indirect, or consequential damages whatsoever (including, but not limited to, damages for loss of profits or confidential or other information, for business interruption, for personal injury, for loss of privacy, for failure to meet any duty including of good faith or of reasonable care
  • Damn! (Score:2, Funny)

    by rdrd ( 1142449 )
    I just pressed on that "slashdot://it.slashdot.org" link !!!
  • Development of great software must include a process to review and cut down on feature on each release. Otherwise it becomes a feature bloat [wikipedia.org] and becomes ugly and dangerous.

    Mike | Optimalprint [optimalprint.com]
  • by Anonymous Coward on Thursday August 16, 2007 @09:06AM (#20248845)
    Goto about:config and

    set network.protocol-handler.expose-all to false,
    network.protocol-handler.expose.http to true,
    network.protocol-handler.expose.javascript to true,
    network.protocol-handler.expose.mailto to true and
    remove all other network.protocol-handler.expose.*entries (or set them to false).

    Set network.protocol-handler.external-default to false,
    network.protocol-handler.external.mailto to true and
    remove all other network.protocol-handler.external.* entries (of set them to false).

    To be sure set network.protocol-handler.warn-external.file to true and
    remove all network.protocol-handler.warn-external.* entries (or set them to true).

    For more info start at http://kb.mozillazine.org/Network.protocol-handler .expose-all [mozillazine.org]
    Beware, on windows things are different. See http://kb.mozillazine.org/Register_protocol [mozillazine.org]
  • Yes, but does it run on Linux :)
  • I've been talking about this kind of problem in Windows and the HTML control since the late '90s, and in OSX and LaunchServices since 2004. It's worse in Windows, because you have the same stupid lack of security design in ActiveX which is a much harder nut to crack...

    http://www.scarydevil.com/~peter/io/apple.html [scarydevil.com] and later posts in http://www.scarydevil.com/~peter/io/ [scarydevil.com] ...
    • by argent ( 18001 )
      The articles on my site are primarily about Apple, mostly because Microsoft has similar vulnerabilities discovered at far too great a rate for me to keep up. There was a patch for another one (an ActiveX component used by other programs not being explicitly blocked by the HTML control) on Tuesday.
    • Griesi said that he does not see any of these URI issues as something that needs to be fixed in Windows or Internet Explorer. That's up to the individual software developers whose programs may be misused. "Security is an industry responsibility and this is certainly a case of that [principle]," he said. "It's not Microsoft's position to be the gatekeeper of all third-party applications."

      100% wrong. Microsoft doesn't provide a mechanism for applications to create both secure URI handlers for browsers as well
  • Write 100 times on the whiteboard:

    I will not launch applications from the browser.
    I will not launch applications from the browser.
    I will not launch applications from the browser.
    I will not launch applications from the browser.
    I will not launch applications from the browser.
    I will not launch applications from the browser.

  • Opera protects against it by asking each time a new unapproved URI scheme is used. It's not perfect, because it requires user to think, and approved apps may be exploitable as well, but at least it narrows attack surface and gives some warning.

    It might be further improved to distinguish between clicked links and automatically triggered opens (like pop-up blocker does).

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...