Internet Explorer + Google Chrome = security problem

Internet Explorer + Google Chrome = security problem

Summary: Security problems surrounding protocol handling and Web browsers have surfaced again -- this time with Google Chrome and Microsoft's Internet Explorer.According to an advisory from the Google Chrome team, there's an error in handling URLs with the a chromehtml: protocol that could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

SHARE:

Security problems surrounding protocol handling and Web browsers have surfaced again -- this time with Google Chrome and Microsoft's Internet Explorer.

According to an advisory from the Google Chrome team, there's an error in handling URLs with the a chromehtml: protocol that could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.

[ SEE: Command injection flaw found in IE: Or is it Firefox? ]

The skinny:

  • If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice.

The "high severity" vulnerability affects Google Chrome versions 1.0.154.55 and earlier.

It can be exploited by malicious hackers to launch universal cross-site scripting (UXSS) attacks without user interaction under certain conditions.

[ SEE: Mozilla caught napping on URL protocol handling flaw ]

IBM's Roi Saltzman, the researcher credited with finding and reporting the issue to Google, has released an advisory (word .doc) to explain the attack vectors and impact.

He warns that the flaw opens the door to two major attack vectors:

  • Bypass the Same Origin Policy restrictions for any site (this has the same impact as Universal XSS)
  • Enumerate victim's local files and directories

"It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles' heel and has been widely used previously to attack other various applications," Saltzman said.  Proof-of-concept code for this issue is publicly available.

Microsoft maintains the problems are not related to vulnerabilities in its code.

Topics: Security, Browser, Google, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • They have to share the blame

    Internet explorer should really use a private
    "protocol" list, or at least warn the user
    before allowing a new protocol to be used. By
    using an open list where other apps can
    register protocols which directly influences
    the behavior of IE, MS are almost asking for
    this.

    Google should *not* register a protocol which
    potentially allow scripts to be executed across
    sites. That's a vulnerability just waiting to
    be exploited in a blended attack.
    honeymonster
    • I agree responsibility falls on both

      but you have to understand that public protocal handlers are important to IE because of how many 3rd party apps use it.
      LiquidLearner
      • I understand...

        But then the 3rd party apps (plugins) should
        register <i>with IE</i>, not with some general
        protocol registry.

        If that was the case, it would be downright
        stupid of Google to register chrome with IE.

        But as it stands now they can claim that there
        are probably some benefits to reap from such a
        registration. Even if it is semi-stupid.
        honeymonster
  • more reasons do dump IE

    and demand IE eradication from windoze.
    Linux Geek
  • I believe IE8 prompts you

    I haven't tried with chromehtml: but I have seen IE8 prompt before executing other URL schemes, e.g. aim:.
    PB_z
    • You're right

      IE *does* prompt you, so this isn't
      <i>really</i> bad. Just bad, because IE says
      that a website "wants to open chrome".

      If the user considers chrome "secure" this
      obscures the fact that chrome is opened under
      remote-control (the chromehtml: protocol) of a
      website and can be directed to perform actions
      on your behalf.

      Thinking about it again, I actually think
      implementing such a protocol is a really stupid
      idea.
      honeymonster
    • I get two prompts after typing chromehtml:.

      One for allowing protocol, and one for IE Protection dialog asking me if I want to continue.

      However, I didn't see Google Chrome open up from within IE after I type in chromehtml:www.zdnet.com.
      Grayson Peddie
    • What about IE6?

      But are people switching to Chrome from IE8 or an earlier model. If they don't think that IE in any form is secure they would have switched and not upgraded to IE's latest and greatest. So would that prompt occur using IE6?

      I'm only asking because I don't know. I use SeaMonkey, not Chrome or even IE.
      reziol
  • Odd that Ryan doesn't see fit to mention

    that [b]Google[/b] had already released an update (1.0.154.59) to the [b]Chrome[/b] stable update channel that resolved this problem several days prior to the publication of his own article. Thus the danger is not quite so clear and present as a first glance at the article - or the headline - may lead the unwary to believe....

    It would be nice, however, if [b]Microsoft[/b] could be convinced to fix the bug in its browser code that allows for such attacks on other browsers - but perhaps that is too much to ask ?...

    Henri
    mhenriday
    • Re: Microsoft failing to remove this IE bug

      Henri wrote, "It would be nice, however, if
      Microsoft could be convinced to fix the bug in
      its browser code that allows for such attacks
      on other browsers - but perhaps that is too
      much to ask ?..."

      FOOD FOR THOUGHT
      Is it really a bug? Perhaps Microsoft
      intentionally leaves in this "bug?" Or, perhaps
      Microsoft intentionally created this "bug" as a
      "competitor-killer" or "competitor-accuser,"
      such as Microsoft has done to their competitors
      for decades?

      Microsoft has a history of bottom-feeding and
      unfair competition or, rather, of not wanting
      to be a competitor but a dominator (symbolized,
      to me, as a vulture). In other words, rather
      than compete in the spreadsheet market, they
      eliminated their competition to dominate the
      market. They have done the same in the word
      processing, database, presentation, networking,
      eMail, messaging, browser, and all other
      markets they wanted. In fact, they even try to
      own our computers and what we put on them ...
      Anyway, I have watched Microsoft's ugly
      behavior for years.

      The above does not mean I do not use their
      products because they have me locked in through
      the university I attend. It also does not mean
      I do not use their products, at all. The
      concepts for OneNote tied to Microsoft Office,
      Outlook, and SharePoint are great concepts.
      However, those concepts were actually
      originated and introduced a couple of decades
      ago by Microsoft's competitor, Lotus (remember
      Lotus 1-2-3?), with their Notes and
      groundbreaking DOS-based desktop search
      package: Magellan. These were followed by Lotus
      business collaboration software for business
      applications, messaging and workflow: Domino.

      FURTHER FOOD FOR THOUGHT
      If Microsoft steals concepts and code from
      competitors, could it be that the reason they
      release buggy software or are so slow to
      release debugged software is because they did
      not create it in the first place and do not
      know how to correct the errors?
      Isocrates
  • RE: Internet Explorer Google Chrome = security problem

    Does this universal cross-site scripting (UXSS) affect Linux or Mac OS X operating systems? Internet Explorer and Google Chrome are currently only available for Microsoft Windows and most of these documented vulnerabilities are on the Microsoft Windows operating system. If someone could prove that Mozilla Firefox has this similar UXSS on Linux or Mac OS X then I believe that this is a Mozilla issue.
    IMHO I believe this a Microsoft Windows issue that Microsoft needs to fix on their end and stop blaming other browser developers for this currently Internet Explorer and Google Chrome vulnerability. Also you need to test this with Opera and other multi-platform internet browsers to see if this is true.
    phatkat
    • Let me SWAG on this (kinda long)....

      The problem is pretty clearly tied to Microsoft IE in all cases- it invokes the OTHER browser as a plugin, using invalid and mis-formatted input. Afterwards, the other browser doesn't validate the input from IE... but 3/4 of the problem is the unescaped quotes coming from IE.

      And if you "need" to install your browser with a Registry entry which defines it as a plugin to MS-IE, you need to check whatever it sends to you-- VERY carefully. Internet Explorer is malware, and is being used to "probe" your Browser for flaws.

      In last year's Security POCs, Firefox was chosen as a target because it has the most powerful URL handler-- AND because it had not yet been patched to prevent this abuse. However any other URL handler could be exploited in this way by passing arguments that are not supposed to be passed. Mozilla releasing a workaround for their URL handler was a nice courtesy, but it doesn't stop the vulnerability at the source. The same exploit is rewritten to target other URL handlers which don't have such workaround code already present-- in this case chrome.

      The exploit works by breaking out of the quotes, much as a typical SQL injection attack. This is a problem in Internet Explorer, and should be fixed in Internet Explorer. But they don't (it's an EASY fix), and they keep leaving their customers exposed merely for Marketing purposes:

      Microsoft Marketing gets to point at the other browsers and say, "Look how many bugs Secunia found in THEIR software, while ours HAS NO BUG!". Thus, EVERY other program has to band-aid their way around IE's un-escaped quotes.

      Those other programs DO need to validate their inputs, and there are attack vectors present. But, as Mr. Salzman correctly said, IE spewing out program arguments to other programs in formats almost exactly like a classic SQL Injection attempt [b]is[/b] an Achilles' Heel for whole system-- and WHY ON EARTH does the malware-sender get off Scot-Free, over and over again, just because Microsoft sneers that "we don't have the vulnerability. Not our problem!"

      This is just like declaring that malware-serving websites are innocent, the guilt is ENTIRELY among the receiving public. That's BS. [b][u]Mickey-Soft Internet Explorer IS the malware serving "site" in all of these cases.[/u][/b]
      - - - - -
      Now, to your question about Linux:

      Linux desktops DO provide "desktop-wide" protocol handlers, but because we don't have IE serving up malware as input, we don't have these problems. Most of the configuration, at least back in KDE 3.5, is done via filetypes and not protocols-- it's also done within each program's individual configuration files. (For example, choosing to use Thunderbird email as your "mailto:" protocol handler from inside Konqueror, or from inside Opera). The use of protocol handlers is made far, far more extensive and configurable (and thus more dangerous), in QT4. But the security structure is improved, too. Coding for QT4 is so much more clear, short (in # of lines), and easy than coding for Win32 or GTK+ that you have much less exposure-- the superiority of the Toolkit itself GIVES you more security, the widgets are better and lots of security is built right in.

      In the case of Firefox, of course, the XSS attack vector is totally foiled by the NoScript extension-- which I make EVERYONE use, family and friends and customers, and support with contribution $$. XSS attacks are somewhat viable on Linux, too, and you should use NoScript to whitelist the valid XSS sites and block the others until you have checked them out.
      Rick S._z
    • Could you explain? [Updated]

      You stated, "If someone could prove that Mozilla Firefox has this similar UXSS on Linux or Mac OS X then I believe that this is a Mozilla issue."

      Are you saying you believe that Linux is a Mozilla product?

      Are you saying you believe Mac OS X is a Mozilla product?

      Are you saying you believe Google Chrome is a Mozilla product?

      Are you saying you believe Microsoft's Internet Explorer is a Mozilla product?

      Are you saying you believe all open source software is a Mozilla product?

      Actually, the commercial Mozilla Corporation is found at http://www.mozilla.com and the open source Web site is found at http://www.mozilla.org .

      On the other hand, did you simply mean that [i]IF[/i] Firefox has the same XSS issues on Linux and Mac OS X (what about Firefox in Windows?) that it needs to address the XSS (UXSS?) issue? If so, then, as Rick S._z wrote on 4/28/09, the extension NoScript solves this problem for Firefox users; and Mozilla, unlike Microsoft, allows third party producers to provide additional solutions. NoScript is extremely powerful and provides an outstanding service.
      Isocrates
  • RE: Internet Explorer Google Chrome = security problem

    The fault and responsibility falls on both parties. We all know IE is not exactly bank vault secure but I see where Chrome's UXSS make it worse. I review browsers using justaskgemalto.com digital security site.
    Steve KTG
  • RE: Internet Explorer Google Chrome = security problem

    Try SRWare Iron.
    picpocbalanel@...
  • This ball is all firefox

    It's down to how firefox handles URIs. If they did it properly, this wouldn't exist, and it's a simple fix.

    However, seeing as the GPL people don't think I actually deserve money since I'm just a retarded programming monkey, I think I'll let them muddle through it.
    Spiritusindomit@...
    • Could you explain? [Updated]

      Where you see Firefox mentioned in this article?

      How do you reason that a problem with Internet Explorer, a Microsoft product, is "Firefox"'s fault when Firefox is only a browser and not a company, business, or other organizational entity?

      In other words, how does the handling of URIs by the browser Firefox affect the handling of URIs by the browser Internet Explorer?

      [Updated]
      I see multiple possibilities about you: You could have difficulty with the English language; or you could want to sound important when you actually do not know what you are saying; or you could be a Microsoft troll; or you are nothing more than a rude trouble maker. Did I leave out additional possibilities?
      [/Updated]
      Isocrates
  • RE: Internet Explorer Google Chrome = security problem

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut