An exploit intended to demonstrate the seriousness of the recently disclosed SHELL: URI handler issue has been released. Microsoft has previously stated that the issues surrounding the SHELL: URI handler are of little security consequence, and are not exploitable except with significant social engineering efforts. The released exploit demonstrates the ease with which this issue could be leveraged.
The released code utilizes a feature of Internet Explorer called Binary Behaviors that is designed to allow a web page to modify the way that GUI components respond to user input. The exploit utilizes standard window elements to intercept user input that can lead to a drag and drop
event. This event can be used to save files to known locations on an affected user's computer without further user interaction.
This proof-of-concept exploit is likely to lead to rapid utilization by spyware vendors, as it allows the invisible installation of arbitrary files into known locations that can be utilized to automatically execute a malicious payload.
There currently are very few workarounds available. The most effective are available with the installation of
Windows XP Service Pack 2. The following actions may mitigate this exploitation method:
- Internet Explorer users can guard against this particular exploit by disabling all active scripting
- Machines that have had Windows XP SP2 applied can disable Binary Behaviors within Internet Explorer
It is important to note that these mitigation options can severely impact normal browser operation and may cause many sites to render improperly.
If a user is affected by this exploit, the following practices are recommended to help mitigate the impact of these types of attacks:
- Users are advised to ensure that antivirus products are installed and up-to-date to protect against known threats presented by malware
- Users may also consider the installation of system monitoring software that can trigger notifications upon unwanted and unexpected changes or additions to critical files and registry locations
As has been previously stated, this exploit method is expected to be rapidly adopted by the spyware and malware communities as the window for exploitation may be short depending on Microsoft's response. Users are advised to be especially wary of following untrusted links or visiting untrusted web
sites. Social engineering efforts are likely to be increased by these entities to try and leverage the vulnerability window that the exploit creates.
Microsoft has released a security bulletin and patches at the following link: MS04-038
US-CERT has released a Technical Cyber Security Alert at the following link: TA04-293A. US-CERT has also released a Vulnerability Note at the following link: VU#526089