Windows Flaw Exposes Your Personal Data. You're Welcome.
Thu 16 Aug 2007 2:09 PM

A little known feature in the Windows operating system is called URI - the Uniform Resource Identifier. It's a set of special keys in the Windows Registry that are used to launch programs through your Web browser, and - I hope you're sitting down - it can be used to steal data from your computer.

URIs have become a pretty hot topic in the last month or so, ever since a fellow named Thor Larholm showed how a specially formulated URI could trick Firefox into running unauthorized software on your PC. Shortly thereafter, other folks demonstrated how that same sort of attack would work with other browsers, and even other applications.

Now, Billy Rios and Nathan McFeters are saying they've discovered a whole new way that the URI can steal data from your computer. They call this "functionality based exploitation," since they're using the legitimate functions of the software to attack your machine, rather than bugs in the system. And, of course, you can't get a good, rich research grant unless you've got a fancy name.

Their initial results show that there are plenty of ways to misuse this technology. They're being pretty cagey so far about who the culprit is, but they're saying they have found a major flaw in a "widely used program" that could be misused to steal data from a victim's computer. They're not going to release the results of their research until the manufacturer has had a chance to fix it. But, now that the basic concept is out there, I suspect we'll be seeing a lot of exploits out there in the next few months.

Let's take an example. If you type aim:goim in your Internet Explorer or Firefox browser bar, it starts up AIM and opens an Instant Message window. Handy, eh? Can you think of any way this could be exploited by a bad guy? Yeah, me, too. Dozens of ways.

The problem, of course, is not really Windows. The problem is that all these software developers (Microsoft's among them) have rushed to enable this technology in their applications without stopping to think about the security implications.

Mark Griesi, a security program manager with Microsoft, said that he does not see any of these URI issues as something that needs to be fixed in Windows or Internet Explorer. That's up to the individual software developers whose programs may be misused. "Security is an industry responsibility and this is certainly a case of that [principle]," he said. "It's not Microsoft's position to be the gatekeeper of all third-party applications."

So, you see, instead of fixing it in one place - at the source - Microsoft is telling hundreds (thousands?) of developers that they will have to spend their own time and money fixing a flaw in... excuse me, a feature in Windows. And this is why so many developers are so eager to write software for Windows.