A remote, critical security bypass flaw affecting Microsoft Word 2002 and MSN Messenger 6.x is closely related to a Mozilla browser flaw announced last week.
Vulnerability researcher Jesse Ruderman reported a flaw that could allow an attacker
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
to access the Windows "shell:" functionality. In this case, the programs fail to restrict access to the "shell:" URI handler, which could enable an attacker to invoke various programs associated with specific extensions. It's not possible to pass parameters to these programs, only filenames, thus limiting the impact of launching applications, security research company Secunia said.
The Windows "shell:" URI handler is inherently insecure and should only be accessed from a few trusted sources, according to the advisory. It may even pose a threat through Word documents, Secunia reported. Multiple exploits in Internet Explorer also utilize "shell:" functionality.
Users are advised not to follow links in MSN Messenger or those from Word documents originating from untrusted sources.
This vulnerability is similar to a flaw in Mozilla's Application Suite, Firefox and Thunderbird products running on Windows XP. Mozilla issued a fix last week, but some are questioning its effectiveness.
"Mozilla's 'patch' for the shell protocol security issue is merely a global configuration change, but is it enough?" asked security researcher Aviv Raff in a posting to a security mailing list. "If an attacker has a file writing access to the user's default profile directory, or somehow manages to update/create the file user.js (or even worse -- mozilla.cfg) he can override the patch's configuration change and enable the shell protocol handler again.
"Trying to apply the patch again won't override the attacker's configuration change, and doing it manually through the about:config interface will be enough only until the user closes the browser," added Raff.