|
|
|
Google Joins Mozilla, Blames IE for Chrome Bug
By: Larry Seltzer
2009-04-27
Article Rating:  / 8
There are 6 user comments on this Network Security & Hardware story.
OPINION: It's an old tradition to blame Microsoft for not doing the security work you should have done yourself.Google has fixed a
bug in its Chrome browser which could allow cross-site scripting and
other dangerous policy violations under interesting circumstances: when Chrome is called from Internet Explorer because a link is executed in IE with the "chromehtml" protocol handler.
Update Chrome to get to the new version 1.0.154.59, which they say
fixes the problem, but that's not what's really interesting about this
bug.
What's interesting is that it's actually a new manifestation of an
old problem: external protocol handlers are called from Internet
Explorer with malicious input; IE just calls the handler with the
supplied input. In this case, IBM researcher Roi Saltzman found three
main attacks that could be launched through this mechanism that would
be blocked through normal Chrome access methods.
It's very similar to a series of bugs that were found in the combination of Internet Explorer and Firefox back in July of 2007. Similar stuff, some abusing the firefoxurl protocol handler.
In both cases, the other company chose to blame Microsoft for the
bug, claiming that Internet Explorer should have sanitized the inputs
before passing them on to the external protocol handler. The Mozilla security vulnerability advisory on the subject contains the following: "Internet
Explorer calls registered URL protocols without escaping quotes and may
be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol....This patch does not fix the vulnerability in Internet Explorer."
Google wasn't quite so ostentatious in blaming
Microsoft, but they did it just the same. Roi Saltzman didn't attempt to blame
Microsoft, but in the
Chrome vulnerability database writeup on their report, someone at
Google puts it this way: "Because of a known silliness of MSIE,
calls to registered URL handlers for protocols such as chromehtml: are not
constructed with sufficient escaping. We previously combated cases where this
could be used to pass unsolicited --no-sandbox or --renderer-path to the
browser."
Think about what they're asking Internet Explorer to do: The whole
idea of an external protocol handler is to have IE (I think it's
actually whatever the default browser is) call an external program in
order to handle an http request. IE doesn't know what the external
program does, it's not supposed to care. So how is it supposed to know
how to sanitize inputs? In order to do that it would need to know about
the semantics of the protocol handler. IE is just a shell in this case,
not a client handler of the request.
Even if you were to argue that IE should do standard escaping on the
stream, it's disingenuous for Mozilla and Google to argue that they
shouldn't need to do input sanitizing because Microsoft should be doing
it. The lesson of the last 10 years is that you have to make sure your
own inputs are sanitized.
Google went ahead and fixed the bug which is just as well, since
Microsoft isn't going to fix it for them. Let's hope this isn't a onsie
fix, but that they take this opportunity to look at inputs on all their
external protocol handlers.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Editor's Note: This article was updated with new information.
| | Reader Comments: Google Joins Mozilla, Blames IE for Chrome Bug | | >>> Post your comment now!
| | I couldn't agree more with the authorI couldn't agree more with this author. Indeed, IE is in fact acting as a shell and just passing on the request to the requested protocol handler.... Posted At: 05-13-09
By: Craig S. | | | | | | A user comment on this articleFirst, I want to point out in the article, you quoted the Mozilla security advisory as saying:
"Internet Explorer calls registered URL protocols... Posted At: 05-05-09
By: Anonymous Reader | | | | | | a bit of bothprotocol handlers working as an UrL should follow the RFC 1738 specifications - on both sides:
- output sanitizing should be done by the protocol... Posted At: 05-05-09
By: Mitch 74 | | | | | | BugsA bug is usually the result of some human's ignorance, laziness, haste, or stupidity. I wonder how many of these security holes can be traced to the... Posted At: 04-29-09
By: Tom | | | | | | Why?Because is calling a protocol handling application that is registered in your machine (based on the prefix), when you type ftp:// http:// mailto://... Posted At: 04-29-09
By: IT | | | | | | QuestionRegardless of whose bug it is, my question is why is Internet Explorer calling another browser in the first place? Is this because of Microsoft's... Posted At: 04-29-09
By: Blair Christensen | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������x}ks8q�8c#dK-ě[HH"$eG|9u��_zP��9���6Ѝ~�~ ooOD.�01tE1�>=zo�HRco����L#s%GgPSrD廚�f�w2v=S;^��> \?g#Q;Y|��vn=w2`q�|&��xa/
w-m~D�M-G ؓ�ۭBx1�BP�#"F��τwG�͠匝o8Gd`jI:@�"4
13<�LeC1k;T*�R65-晚u@|͖|#XulAzf@��dnQ��TB�p` V�?j9yp
O,Ӈ�;) ۱ȭB�¿{kײ�߂CM�{6̳L]b!�'l,R"
?q74Ba�5�;��E&��sؗ#Y閩m�Ⱥuw\PBMQRP)��+����6�2W�MugNo?ڻP*j(u���u7�Z}��m9�C�M=듫;yظ} � �dm+5'�}�&DeR)�I&0h�'6tt<_B^�,9DFI?jOny%rX:,�q Ԏ$0L"�K�1~̢!2I}oOU}s}I}z~ri!,[3SAV��
2CT�YaFȏNժutq۹juo{{CZϝv�Y3��a
Og�Vo!�-�/�x�_��b
M��u4}Gʇ{S{r&�tr9%9Io?��پBd}#�77W�$�cM�|�Ap6
2T��c��]v�jGo__ ZP� G/<@#D93Sf�M�s,e��gy`M��H��:Ɯ5ņ]�)!ex�ۤ%/^(Pe!PC!)\Dh+�ԌTwYQ��Q#�=^f/\��R@��1�Al8{ØWҽTwsQ��[�|48�N>]7Du..*�5-wnx�aZRp�x=nO7�]wz]t�`xX18��X.B2iKB0.VG5]Br�fv\�CU9-|�Q|�2x��jXvR7HYA^ݯgtC:�)~Ѧ1>RÜMCͶ�OCs�>hH2胆>m�=ƹ�h$�
<7p}HOQI�4�p|g��0���sJ}+��j$
nh��-DCw
pIeg&S yO��݁17C?�N{t(
5�ȁjN5҆�.��QcSB�x?ɜ+)
'C/0tKt45I39;ew)(�k�UBgsNPB/W2 \_&VAB5
>d<ɤPlggS'D8o}T fdnR1*�RJ*<""ǰ@3�>`L)^IIRЙl!�9z9�l�)>�?uV�k)̲T]۽(/7�r@]�օV�P�� M��2\x���kZԕ9�%/D�4$B]N`}.�E�GQJ�lL-
�>��86p#>wl{(`R�rQj�#S�0ш�PXjgܱ)�>���%P���$!|?fLl:K{׳�L֩w@��="/I�N�cg@>ੜ�ǟG�)!��w1�Z�J`lX�*,b3)
jMM,bbp=Pz8�Fq,0 XbO{s�UrvXkj43익'])/_(g76���vG�:Me�"6x#�ji�WH�X-pא~3�VJQUcϓ�cs@M$ �g�2,rFe9�ٔ�M9 QQ-L.M{��
�\�mpf�Z��GZ�.�~~i~02�y�6/�g>:F}��`'x�NKt�ŁͰ�8]zq�$�\9STJ)�RLZ�љ0@�ykLv��0"4�n���1$�/Pk
.a@C^hC��E)& cVbrEL�s�
-UN-I)�]�gwu`X�]Oұ@i�У�jzp~,9,#%h�ho?^HjZX6PQrVUqV
X��wq�)4Ku@rF�6�
̻�m??�Qo��Ͼ(�zKݠG�>W�,�G>8Y�&1'p^+;@|p�>Cy./bҧJǦ8P�z0�o`!�TՖGasg�'��b����!N��~0 �X�#0`6Yന�
9^QӲ�j�Ԉ@|��p+9!Nf�kӥ��e
Cn׃�3z�Sb_@UzX+5"8KY3�b�QD��i��;bE dW�.Qٸ���y;@<�uP('Px�LtJ$F�؝A]o^c+o�M}'_;,̮
2
\3 z��uO`vu'Si
lmSU�}((Oc�
ʌ9Q%/(SY-iq#<�F.҄^ߵ{�]c6�
��_8x�kYʊnZv`
dZT+α�^`�.uJM�A^"�fQ�rC5�E�;40N]5�)vݏD>Q�Y�KK�Iպm2R�KbU-+ 5CoD�D\u[�9EL��
J '̀SBb;�?͕H97cXOB�B�5��9��%�BG$�qza/;C7�0")O ^X:Zik.bp��.Wk��v̢uYsd;6�sde��D@X��J3dNV�CU�VIb('Iġ; c.=fY[y�:J"{qz2N}zb4D_L7 E$D�F?+�?x@3�|}Q'9w6*B�ڽ�b[-W+���B!a�8!��T}U�D(K�,E~W9ـo9�|RQ*�rF2�R@BZN¦s<6ɗ02f�Dҟۆ
�+~7?l)ɡX�XD�>DWF\{e"�;QXk�#Ẉ1114/xyi`�zPS�'�BQ!�}QLEX�rr���E �)X1[&MJ齟E])�V��l{Κ/G�z֯Nӽ:⭃a>&·~�~�}ݯ{Zj\]�`š�JV�G|L`MUK\6?p�C-�P�d�NR(��1I�]�u̮VsA0lg�~hy+ $+'~{)\6o>tėtO���\tR1~Z`&18Լ|:b|U4�#$Ey�n{hq\3)MF"Kt0S�W5!麫?72P B5�q7Y0wx!}q!ɅH'k&�27��Ey4ak6xy�_aZ�,d"0�.
I5:=.����� k@JA=�Vohuz�/Ѯ�{ma:[(�
�`E/Щ
cA�HF�rI'zRG�nijV{L۠�$'R�):�(9Q{_aKѷo%Aߐ>1K4��~ ɮP��hLYb6n|&�B2�^'v8�/:=h)9��I�B��.A-H7ܾ�N="�0�qJ"g�:�E;6�?m[=O��rr���PR)%ZG.([4wiQen%iє�r�tJ)SBt�~�Q�:ZX3=IY�'i�M$_�]d0XPW
lقW��'59ܻ8�]ҹs��%';yRn`}�Z4jٷ.4~,��s�H���x�~@ċh#rW��FK*U6G�H|Sip6.�{��GS�
�x�ݞn�eRaЅce��,&���$�ta4�اڜm�q=\�iϓ{~�\[܍ĝ99Bn8:[�˳�PbxYa)~h8Sʹ�?꒫n4/�Ҽ?�5LN`_ |1�$?[н�>�u?�y{lo&�<)ǣAl�k5�9obJwfimԕŞ`4tͥoR<�'i?{²"CWq�[:'3)V$�Xh�HZ�U7}\8%'+hs=0����=1�@7YM��(f�ެ�x zi12�Q3-�|c1Co~<Ϥ�
]ek��*����o}VZ�tC.q�D�).&�d/.%n.E ju O�Kt�1ڮ/=ا�HkyX�xlQ�Wg�o
�O O=p�Զئyxxg�Ld�9��a}�43`ؒrL�p��Pf�prn
֔@djl�� 8�QbMǾsEs ��5D��N8�
�X��g+i�ƿ'!IVܱ�S,*O��o+N{kE�|;̔-u�&/eW�I�n2�6�����\(�\=sq� ��~=n8���E'ͦ�x�LL>�'�2>6,oeM�ʧGq"FC�bߴ�Slz3},L�="MқytyS>&(6Y~ѯӧ!@�&ipCtviB\Ň�5ƈ�8�,���J]D���G'![�q(ŻO�xbw44o<�MRI9|�n%!LSg��k
���'qeIJPH
D˱Y)����N@�ﱔ���=�t���� ;RKJ�D1&1�>^"dras�vLU\W&RrCw{RH]R^Vc52T(�Ҫýt�pH��!%ƾm͗dkȆnZ{ҩgpp�f*
�8ȩ$!t¡%�.�dZ`QwdM$�۲f5H V|dJg@���_Ig1+Up@D��MEݮ�--+>B�9Jdc6*z�5�-�yf%r8q@>nM�nKU tc�TPjW"[Z@pJ�l&x)F{I�Tu�إKZʳ[_紴tn�>8g&|E*��MI�cċ,d6!v�0jd4U W��zB*7����ȬF#FRv$k>`m|Q}ha/g~�4ϖCg�b�KR�`�"���0xBx��I��n�ulv;V*�wkW"K=LS��/��8
ElCu":(]�`)�=0RXs�|`l�ؔ��R(V�P<��Axl�ἂ�x,�],|�}!"y�]�J?gU�p$gsagR'ךN^,yuIӸǕ4�nOrߡ9gO.�:��=9"=gtA#�,C�3�kdn9�ZiGUJ/GjRo�
IH9lE�!|�gDp?afH7f@j\^�q�9U#]%v�}N`'e˜%'Dqd^^]y&6�▼_~._k`@!��ZK,%B.n�}f7g8@3ːε{*R,ak��G1�BE�E&�6 ~%L2&G� D�*6t+�i~.�C2�s^W�*�"Vˠ}rG�7MÌ:.����ƿg<�Ovp /:J@"��oG��zC@|7Z$C;?8�=a�\:�ތ&o"6�gbTCۇWUEB�W+~pUTVՌH&�D
/~K�2Z�u\Ͳ��^��Hj/��Ϳ2:rO|k�nfvS^F<�p9r^���L�l�#۩{Mfr*��cl�(M#o�ۀ-c��g�謈z.� RXv!m,):f+XB�>�2}fp�zl^�Ji��f-e։57$I1�Ʊ�+}Q#*NhV�P2b�D�Ko�p,
rpDycЃ�>?w}Uy�νc�o�(�S) Ux~��NNnU �e^�\e-'�I24b'
�/�A1DKb���@/]j�7|}6_��w �g�@�a]I��Yx0);AGt;R\0����S
:6Mp�'oEb?'#�,<�@�^t8ɜ�hvp^xx)�ФCnA1�R9mfӚbnƆx@I
<7L8�Vi
;'6vn&&#']dԛ㉠DU#[�~<�"R!Dh�+@O�
eӡ��q-ĸm5ܵ4&k襍ڵϔxT{z5$_`w��ᷭ�lsd"ә�n, -:u^`c�i7t�]s�t�73>н_��3B{s8GYj۫u)�08̶.��yqc[VjBYIc0�"O{MRB��@\5��m2c1Hz.Ŕ�0#�m+/R�o~%r�U�c[q{Z"U!7Tce���VW1�jڦQ�*
L(_q�C<��x�a1aV
զٝ$��Y?"d=`��'LE74/xy B8'Y751
�o�Y@d8_AnKi\m5't�Mx%7�+�
:%Ba����J@-&nhpa3l�@1"s?"�I:N~�^Pb��ԓ"< �L�8�醬�
roE�VIz! ,Đk?ZXED���<<��q}nD~hv.Uw7=
d!ϝ�k�֜]jM5q%� ��}�ӂ>9 !'vQ]Q
LT�n0Os.}`J��{�φ\oܤ��-l
� \Z�s4e{Hwz}檧�*E|GRw2O0�摩P8+Șh
M(qTi+$<49|zLYJ�ȧ)��aN���J�&�x&�;��IQ!9�Q�""1aں5c�1�;m: \y@>w;LQZj��*�!bpȣ4ϓ W}��#
$Zڽ�]ΰ*�@�[�`'*?=
��?B7D��&%n6w�F�̬�0S�L�\��X�
E߀dp?,�GAa2u:�R�'����oN�&�իr ��P�0gI~�\b�@ĹԐ0�\(J$Ѕ:�y,@#!��9ω��q{rniE'虞G�(�+݉2���x���bRSJ9|�5��"�
$cU-]V7)`7~gtU�h VH+^@0
92b24�K=
L]; �.O=lF�D�9�/{C&O'ӛuӽ��&lkEQwI{sվ\8`1(Kyl2/*�vg,P]5/OQ�ʩբksYx�9%�E��w�8tɩcdhw>|&N^;K�g~窜4=V0�8� �SD^}'ݫv�n�"#(�(MfFy�ʻ�-AQ~
π>g���NqY_i�VF9?t2ʡ��{�_���os�K2�K��{AKe�}.��/?/3�2?QF2�3ϡg�9~P~U�{mF�ua!gk8=r ds�~)W@_d_�y*)YF!g賊���3F7_+0Πsk=�
Я!�ߗdlڹ>
q�ʝz�>=Lk�[M�2n@Kȣ�_xi� �+{#��½8�Eq\"*�g�D|�@ð`x#uY��D'�AWt�ﹺ�d^xW*rr1VD=՞�bM�dg,dlζG\%�f1'M]�o{s"X�5̽�'7�\�WW/3yK�w�S+:g�t{r
�*%���.
ۍuR9\���~�GG0���y5h\j�ťhe?/�yfֺWWVF�+p%kŠ6K&(W~�rOWf�|4;(n�bi3Q*;9jG��Hi0σ� CO3mo�J�\Ӄ:[X�ڧn:/i�i\5/��mОMEA]e�GӠS7q��B8�#��%1zI���a4
D�-B9}54]MWn37��ʑf�t�:ɹT)�
%
J\ܓJnx[p@Df��j� _$`r�BE9,��PP�फ़��h�[^t �,6Ngw~b4ǝag,�i܃z�t�(�|u�^ӲO^^tE�ǻ˴rDba\m�8:
��-c�$]tx5���/`5ݤ1lxy�.d38pǮ�ow�G ��U?���m
�o=h>I4kw��+��P����Ս58݈8�9p<�y
x��_�-,�
�<��ѹ�͏ }]<ۚ9t؆"uL]ݸ3EѸs5 D 9b o>;ߘ 9H�D[Opc/��o�.;c���7ҧeF`�]Wn�BaI'�iϾc.���l> Oax3gVdg�/�G?&�E;p�|F+`a?94�#Wn>Q.��klE�Eא�E,&Lh�nP%6nc��?q�&р]�Vx+�DA焿�H9aCdkq�E݉cG\cD�x{pA��lN@Um�kCq�2cX
=���?Ecdܒ�xjA߭ed#IK��Ah$fW5���EXN%�i{j9.鱻�$Vx\d�~\;n6{͂R�x�'^�?�~=�W�?}9)欹s�б�ߞR
TD1[�
|�iK:AM6�_w^sԶeEY&PL��#U%�k,_͠#��9"g݅�ؠ(b-"%1�7&]j�
5�6N��B�`t�9,�C��>X�읙7~/;v4R+4$N0R��sG�F�?�X� \��swH�f��:;:Ώ#
P�䁜211Zc� *۳|�?q��f[��ŝA6�p8C3`�ܐ}oӒ[p��>(7A{~��r@]`#O��]��&�\f
�^:e_L�.�ѪBVnb0Pjs;?�B��r"#�`]R>�L1\eq}#3�ӲGH�A@zP����,�{ �Qv*059
q얢U��..Dl`a�A0n,ـ��A5'*l
=Vc�:pSz
���v�SmQ-নN�?X70(|N4y
|�Ua=r�k��
jA@0��8gn耵�]1fnB�ٔ�mGѯ.,@�<�
�W{څG��S�y6:|���Vju>$+e={`o'3Lg�|�oU��CtM�*j"<&o�(fҢΰ
岞�*ZqKmN~늜�%On6%cܦ\J�BS+$d�{mȚ��զr0d֊�V&bƷ�Z2eR[`l/Z6?Y���
|
Network Security & Hardware 
