[13071] in bugtraq
Re: The money: protocol in Internet Explorer
daemon@ATHENA.MIT.EDU (Microsoft Product Security Respons)
Thu Dec 23 13:12:05 1999
Message-Id: <D1A11CCE78ADD111A35500805FD43F580438FD42@RED-MSG-04>
Date: Wed, 22 Dec 1999 09:35:41 -0800
Reply-To: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
From: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi All -
The "money:" protocol was designed to allow Money to integrate with
web-based offerings like MoneyCentral. It allows Money to be started and
navigated, but is designed to always require user approval via a dialogue
before taking any action. We believe there's no security issue here, but
are doing a full investigation anyway, just to ensure that this is the case.
Regards,
Secure@microsoft.com
-----Original Message-----
From: Richard M. Smith [mailto:smiths@TIAC.NET]
Sent: Monday, December 20, 1999 2:13 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: The money: protocol in Internet Explorer
Hello,
Here is an interesting problem that I haven't had
the time to looking into fully. Maybe someone
else can give it a shot.
If a computer has both Internet Explorer and Microsoft
Money installed on it, Money adds a protocol named "money:" to IE. If
one goes to the IE address box and types in "money:",
Microsoft Money will start up. The protocol also works
in a JavaScript window.open call. This means that Microsoft Money
can be started remotely from a Web site or from an HTML-based
Email message.
Some interesting questions here:
- Does the money: protocol have any buffer overflow
errors such that x86 code can be injected into
Money and then executed?
- What is the URL format for the money: protocol?
For example, can one do something like the
following:
money://transfer?from_acct=myaccount&to_bank=swiss_bank&to_acct_no=12345&amo
unt=10000.00
- If remote attacks are possible, how can the money:
protocol be turned off in Web pages and Email
messages, but still have Microsoft Money work
properly?
Microsoft was demoing Money 2000 at Comdex, and
I showed the money: protocol in IE to the Microsoft
guy running the demo station. His eyes got big as
saucers....... :-)
Richard
==========================================
Richard M. Smith
Internet consultant
Email: smiths@tiac.net
http://www.tiac.net/users/smiths
==========================================
