According to security researchers Billy Rios and Nathan McFeters, the issues involving the URI (Uniform Resource Identifier) protocol handler technology is more widespread and problematic than first thought.
In fact, it can potentially be misused to steal data from a victim’s computer.
The URI protocol handler is what Windows uses to launch applications via the browser.
As a direct result of the FireFox and IE debacle last month, security researchers have been scrambling lately to research how malformed URIs could be used to run unauthorized software on a victim’s PC. Not going with the crowd, Rios and McFetters decided instead to focus on how attackers could simply misuse the legitimate features of software launched via the URI protocol handler.
They termed this kind of attack as a “functionality based exploitation.” Their findings prove to be sobering.
Says McFeters in New URI browser flaws worse than first thought:
It is possible through the URI to actually steal content from the user’s machine and upload that content to a remote server of the attacker’s choice. This is [done] through functionality that the application supports.
The crux of the issue seems to be that software developers have rushed into incorporating the URI functionality into their applications without properly considering if it is even necessary, much less the possibility of it being used as an attack vector. In many cases, the rationale behind an application even registering a URI with the OS is inexplicable.
The potential complications that could arise are huge, but unfortunately is not something that can be fixed in Windows or Internet Explorer. Mark Griesi, a security program manager with Microsoft, maintains that it’s up to the individual software developers whose programs may be misused to fix the problem.
Eric Schultze, chief security architect with Shavlik Technologies LLC, sums up the situation.
It’s a hacker’s dream and programmer’s nightmare. I think over the next six to nine months, hackers are going to find lots of ways to exploit standard applications to do non-standard functions.
Ouch. Perhaps it’s time to pick an AV from the various AV software listed in Not all AV tools are created equal: Uproar from AV vendors kicks off round two.