Re: The money: protocol in Internet Explorer

[mnemonix () GLOBALNET CO UK (David Litchfield)]

>    - If remote attacks are possible, how can the money:
>      protocol be turned off in Web pages and Email
>      messages, but still have Microsoft Money work
>      properly?

In HKEY_CLASSES_ROOT any immediate subkey (eg HKCR\callto) that has a "URL
Protocol" value can be launched from IE. Removing this value disables this
feature. To demonstrate:

Create an HTML file and add an anchor <A HREF="news://abc";>here</A> - save
it then open it in IE.
Click on "here" and Outlook should open. Close it.
Open regedit and navigate to HKCR\news
Delete the URL Protocol value in the left hand pane.
Click on "here" and an error message should appear.
Go back to Regedit and replace the URL Protocol value then go back to IE and
click on "here". Outlook express should open as normal again.

So as far as disabling the functionality of being able to launch MS Money
from IE is concerned remove the URL protocol value from its registry entry.

On a side note on some NT systems the "shell" registry key has a URL
protocol value and the open command uses explorer. I haven't had the time to
research this specific issue but being able to play with explorer.exe
remotely (froma web page or e-mail) may have some bad implications (but then
again, maybe not). Anyone who cares to look into this issue it would be
interesting to hear if you find anything.

Cheers,
David Litchfield
http://www.cerberus-infosec.co.uk