Turns out the same kind of bugs that were found when Apple released the beta version of Safari 3.0 for Windows are present in Firefox, Internet Explorer, and Windows instant-messaging client Trillian. They’re all related to unsafe handling of malicious URLs. The good news is that none of them worked on my Mac.
These exploits work by way of different mechanisms. When Firefox is installed on Windows, it registers itself as being the handler for any URLs that begin with “firefoxurl”. This enables developers of other applications to launch Firefox automatically. Unfortunately, this mechanism can be used to pass arbitrary instructions to Firefox via the command line. The Trillian exploit is similar. It registers itself as the handler for “aim” URLs, and then accepts the parameters passed to it and passes them to the command line without properly validating them.
These custom URL-handlers break the sandbox that we usually think of Web pages as running in, since they interact directly with applications on your local system. On computers running Windows, that means those applications generally have full administrator rights. I imagine we’ll be seeing a lot more of them as security researchers dig into every application that registers a URL handler with Windows.
Safari 3.0 is ahead of its time
Turns out the same kind of bugs that were found when Apple released the beta version of Safari 3.0 for Windows are present in Firefox, Internet Explorer, and Windows instant-messaging client Trillian. They’re all related to unsafe handling of malicious URLs. The good news is that none of them worked on my Mac.
These exploits work by way of different mechanisms. When Firefox is installed on Windows, it registers itself as being the handler for any URLs that begin with “firefoxurl”. This enables developers of other applications to launch Firefox automatically. Unfortunately, this mechanism can be used to pass arbitrary instructions to Firefox via the command line. The Trillian exploit is similar. It registers itself as the handler for “aim” URLs, and then accepts the parameters passed to it and passes them to the command line without properly validating them.
These custom URL-handlers break the sandbox that we usually think of Web pages as running in, since they interact directly with applications on your local system. On computers running Windows, that means those applications generally have full administrator rights. I imagine we’ll be seeing a lot more of them as security researchers dig into every application that registers a URL handler with Windows.
Commentary
Previous post
Do you eat in the car?Next post
Yesterday’s links