lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.0.82.0710051231540.5461@loki.ct.heise.de>
Date: Fri, 5 Oct 2007 14:58:48 +0200 (CEST)
From: Juergen Schmidt <ju@...sec.de>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: URI handling woes in Acrobat Reader, Netscape,
	Miranda, Skype

Hello,

the URI handling problem on Windows XP systems with IE 7 installed hits a 
lot of applications, not only Firefox (and mIRC) -- namely Skype, Acrobat 
Reader, Miranda, Netscape.

To recap: with the installation of IE 7 Microsoft 
changes the handling of URLs that are passed to the operating system on 
Windows XP. After this, URLs that contain an invalid "%" encoding can 
launch abitrary programms. One example is:

mailto:test%../../../../windows/system32/calc.exe".cmd

that launches the calculator when activated in affected applications. 
Firefox fixed this problem in 2.0.6. After being notified by heise 
Security, Skype fixed the problem in 3.5.0.239.


Still vulnerable (as of 4th of October) are:

Adobe Acrobat Reader 8.1: If a user clicks on such a link
in a PDF, calc.exe is executed.

Miranda v0.7: If a user klicks on this link in a chat window, calc.exe is 
executed

Netscape 7.1: mailto is handled by Netscape itself, but 
similar telnet:-links start the calculator.

This list can propably be extended with little effort.


On a question to MSRC if Microsoft is planning to react on this, we 
recieved the following response:

"After its thorough investigation, Microsoft has revealed that this is 
not a vulnerability in a Microsoft product." 


For further information see:

http://www.heise-security.co.uk/news/96982

bye, ju


-- 
Juergen Schmidt   editor-in-chief   heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@...sec.de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ