Preparing for uniform resource identifier (URI) exploits

A URL is, in fact, a subset of uniform resource identifiers, or URIs. URIs use a defined syntax to provide a simple and extensible means for recognizing and accessing an Internet resource. The identifiers can do so without regard to the application or platform used. The URI syntax is essentially a URI scheme name, such as 'http' (Hypertext Transfer Protocol), followed by a colon and then a scheme-specific part. For example, the URL:

http://www.microsoft.com/en/us/default.aspx

…is a URI that identifies the resource of Microsoft's home page. The identifier also confirms that the page can be located using HTTP from a network host named www.microsoft.com.

Mozilla developers often use a URI that begins with 'rdf,' which enables access to a particular datasource. The URI 'rdf:history,' for example, returns the datasource that holds information related to a user's browsing history.

URIs are also used to launch an application from within a browser. During the installation process, browsers automatically store, or register, various URL protocol handlers, such as mailto and nntp, in the Windows registry. Each of these protocol handlers is associated with an application so that the browser launches appropriate software when requested. So, clicking on a Web link that begins "aim:goim," for example, will open an AIM instant message window.

Although this functionality helps make interaction between applications less complicated for the user, many software developers do not fully understand the complexity of URIs and the possible consequences of placing them into the registry. Basically, a URI handler is going to increase the attack surface of an application. Let's look at why this is.

Security expert Thor Larholm recently highlighted an interesting fact about Firefox. When the browser is installed, it registers a URL protocol handler called "FirefoxURL," which potentially allows a URI in a Web page to launch Firefox. Because of the way in which the URL handler is registered, Windows cannot tell what type of input or request is valid. So when Internet Explorer encounters a reference to content inside the FirefoxURL URL scheme, it calls the ShellExecute command and passes the entire request URI without any input validation. That means there is no check on the data being passed to the ShellExecute command. By crafting a malicious URL, an attacker can then pass arguments, parameters and data to an external application that will run when the requested URI is loaded. The malicious link can be embedded in a Web site or sent via an HTML email.

For more information on URI security Learn more about Mozilla Firefox's input validation error.  Common handlers can possibly be exploited with 'a single unexpected URI.' See how. Should we be scaling back our Web browser security expectations?

Though Mozilla Corp. has released a patch, URI problems are not solely browser issues. Researchers Billy Rios and Nathan McFeters claim to have discovered a "functionality-based exploitation." Using the legitimate features of a popular software program launched via the protocol handler, the two claim to have found a way to steal data from a victim's computer and upload it to a remote server.

Such URI exploits are going to start a fresh round of problems for developers and users alike. Developers need to assess whether their applications really warrant the registering of a URI. Any application that registers an identifier needs to validate and sanitize any input. If attackers can execute applications using the exploit technique, they will be doing so with the privileges of the targeted user.

URI schemes are a valuable resource and are intended only to address information spaces that are globally useful. Developers who create new URI schemes to address spaces which are not useful to the Web in general, which aren't registered, or which break some axioms of Web architecture, are also creating another exploit for hackers to use.

The best way to protect against a possible URI attack is to install a browser vendor's latest fixes. Network administrators should remind their users to never follow links from untrusted sources or open unsolicited HTML email. The attack relies on user interaction, so for such an attack to be successful, the victim needs to follow a link to a malicious site or open a malicious email. Finally, security professionals must ensure that users' accounts only have the minimum access rights that are necessary for them to do their work.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor PCI compliance and Web applications: Code review or firewalls? Worst practices: Security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities Java security: Is it getting worse? Ensuring Web application security during a company merger Firefox Security and Mozilla Security Shrewd attackers bypass old security defenses with Web attacks Firefox 3 security looks promising, testers say Mozilla plugs Firefox flaws Mozilla to rush update for Firefox bugs Will Web browsers ever be fully equipped to detect and remove malware? Mozilla fixes multiple Firefox flaws Mozilla closes QuickTime attack vector in Firefox Firefox security issues persist despite update Mozilla to extend security in major Firefox update Mozilla fixes two critical Firefox flaws Firefox Security and Mozilla Security Research Internet Explorer Security Shrewd attackers bypass old security defenses with Web attacks Inside MSRC: Microsoft outlines Internet Explorer flaws Install Microsoft Office and IE patches first, experts say IE patch glitch sends admins in search of workarounds Microsoft security update causes IE meltdown Security fixes on tap for Windows, IE, DirectX Will Web browsers ever be fully equipped to detect and remove malware? Microsoft warns of dangerous Windows URI vulnerability Inside MSRC: Microsoft releases searchable update database Latest Microsoft flaws affect Windows, IE, Excel RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) NCSA  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.