A cross-site scripting (XSS) issue in Microsoft’s MSN online service has been discovered by a security researcher to allow launching of software installed locally by injecting commands via URI handlers.
Web browsers can be used by developers to call local programs in order to perform certain tasks. This is done via a URI (universal resource identifier) scheme that requests the specific program available on the computer it has been designed for.
Special method used to bypass filtering
In a conversation over email, Nicholas Lemonias, who found the glitch, said that a special method was used to bypass the filtering mechanism that would prevent regular XSS attacks to be executed through the website.
The launch of the targeted programs would be triggered on mouse over action on certain elements in the page, such as the list of videos in MSN; since there is no mouse click on the page, the is unaware of the initiation of the process.
By doing so, he was able to abuse a trusted URI scheme, like “mailto,” “callto,” “irc” or “skype” to launch programs associated with them and pass some parameters.
For instance, he managed to start a window of Outlook email client with the recipient field, subject line and message body already filled in. In the case of Skype, the program was launched and initiated a call.
When opening programs via a URI scheme, web browsers generally offer the user the possibility to repeat such future action without notifying them first. This aspect is important because the user won’t be informed if an installed application is launched without their consent.
Risk of redirection to a malicious site
Lemonias said that malicious actions could be carried out, such as sending out an email without the user noticing anything, but he did not provide evidence that would prove this possibility. As per the specifications of the “mailto” URI scheme, only a new message window is opened, with the address of the intended recipient already filled in.
However, he did provide proof that visitors of MSN could be redirected to a different website through the XSS attack. Given that MSN is a trusted website, it is safe to assume that an attacker would be more successful in achieving their goal by taking the visitor to a malicious location.
Another consequence stressed by the researcher in the event of such an attack was causing a denial-of-service condition on the application called through the URI scheme. It is important to note that Outlook or a different email client is not the only program affected.
Researcher promised to be added on hall of fame list
The researcher notified Microsoft about his findings and the company removed the security risk through an update to the service.
No monetary compensation has been received by Lemonias for disclosing the bug, but Microsoft asked for his details to include him on the Online Researcher Acknowledgement page for 2014. He is not listed at the moment of writing, but his name is expected to appear at the next update of the list.