Re: Minor IE vulnerability: about: URLs

["Nick FitzGerald" <nick () virus-l demon co uk>]

"Clover Andrew" <aclover () 1value com> wrote:

<<snip>>
> Vendor response: Probably won'tfix.
>
> A Microsoft chap pointed out that sites can already break out of the
> Restricted Sites Zone, simply by pointing at another site that is
> not in that Zone.
>
> (Cookies could similarly be shared by creating a 'cookie aggregator'
> site which could be redirected to in order to set the desired cookie
> and return to the originating site with a copy of all cookies set
> by different sites.)
>
> My response: in both cases, the 'rogue' site being redirected to can
> also be put in the Restricted Sites Zone to stop it. This is not the
> case with about: URLs, which are always in the Internet Zone and
> cannot be changed. External sites can also be foiled through
> firewalling and local blackhole routing, which about: cannot.
> Unlike external sites, about: URLs are processed instantaneously,
> making the user much less likely to notice them. Finally, an external
> cookie aggregator site would be subject to privacy policies and laws,
> which about: URLs cannot be.
>
> I think it is a shame that the usefulness of the Restricted Sites
> Zone feature and the locality restrictions on cookies are compromised
> in favour of a feature (about:something generating a page with
> 'something' on) that is undocumented, non-standard, little-known and
> of no conceivable legitimate use whatsoever.

Users just *may* be able to control handling of "about:" URLs (at
least insofar as breaking them completely counts as "controlling
them"  8-) ).  There is a registry key:

   HKCR\PROTOCOLS\Handler\about

which in the fairly default install of IE 5.5 on this machine holds 
two values -- an empty default value and a CLSID string value set to
{3050F406-98B5-11CF-BB82-00AA00BDCE0B}.  In HKCR\CLSID that CLSID is 
described as "Microsoft HTML About Pluggable Protocol" and (not 
surprisingly) an InProcServer of "%SystemRoot%\System32\mshtml.dll".

I imagine you could munge either the InProcServer value of the CLSID 
to break all references to the about: protocol called through a CLSID 
reference or just munge the CLSID value in the Protocol\about key to 
break calls to the about: protocol via the approved mechanisms for 
protocol handling.  I don't have the time right now to play with this 
(it's bound to require reboots between these registry changes!), but 
if someone else does, I'm sure others than just me would like to hear 
the results.

Assuming that works, I have no idea what the effect on "publicly 
shareable" cookies would be, but suspect it would break them too.  
Anyone??


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854