URI Handlers from Hell

26-7-2007

About 3 years ago I wrote about how browser integrated 3rd party tools are stupid and exposing users to new attacks (post in Turkish - basically it's talking about Winamp exploit and IE-Winamp integration issue ).

Nowadays whole security community is talking about Firefox / IE remote command execution issues and how URI Handlers are bad. If we keep combining and integrating stuff, we will be more vulnerable against these kind of attacks.

What I've found quite funny is that these vulnerabilities are perfect examples of well known 'command injection' issues. Escape the meta character, execute the second command even though they've recently found, I'm quite surprised that everyone missed them so far.

Recent Blog Posts

See all of the blog posts