If at first you don't succeed; call it version 1.0
Tuesday, 10 July 2007

Today, Thor exposed a way to execute code from remote, if you have both IE and Firefox installed on your machine.

This is done by cross application scripting. He used an iframe in IE which refers to a protocol handler that was registered by Firefox, in order to open the latter browser and inject a script in an elevated privileges (chrome) mode.

Now the question is, whose fault is it? Is it an Internet Explorer problem or a Firefox problem?

Well, past experience shows that this is not the first time IE suffered from cross application scripting. Inge Henriksen demonstrated a way to attach arbitrary files to outlook messages using IE and cross application scripting.

Thor himself found a remote code execution vulnerability in Safari for Windows using cross application scripting.

Lately, I've noticed that it is possible to shutdown Skype from remote, in the same way:

<iframe src='skype:" /shutdown'></iframe>

An online PoC can be found here (be careful, clicking this link will also close all your opened Skype chat sessions!)

Back to the IE/FF problem. So, who should to fix this issue? I think both.

Mozilla should fix the way they register the "FirefoxURL:" protocol handler, and Microsoft should sanitize the parameters they pass to external applications.

What do you think?

Tuesday, 10 July 2007 19:57:34 UTC | Comments [2] | Security#
Wednesday, 11 July 2007 13:17:22 UTC
IMHO Skype shutdown vector looks like CSRF.
Wednesday, 11 July 2007 17:05:34 UTC
CSRF = Cross Site Request Forgery.
As far as I know, Skype isn't a website :)
This is a Cross Application Scripting. You send a specific command/script from one app (IE) to another (Skype).
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.