Monday, January 01, 2007

Entry Point example

The first of the "Month of Apple Bugs" has been posted. The big news is how they highlight Apple's failings at cyber-security and negligent handling of disclosure, but several of these bugs are also important outside the context of just Apple.

This bug shows the "entry-point" issue. Firewalls control just the low level entry-points to your network, "ports" and "IP addresses", but all the high level entry-points remain uncontrolled. The Blaster and Sasser worms came over the entry-points known as "NamedPipes" and "RPC GUIDs". Many web-servers are attacked over entry-points known as "cgi-bin scripts". Each time you install a bit of software on your computer, it hooks into a number of these entry points. Exploiting a piece of software means finding the entry-point that it will receive data on.

This Apple bug hooks into the entry-point known as a "protocol-handler". When you use use your web-browser to visit a web-site like http://www.example.com, the web-browser uses whatever software has hooked the "http:" protocol. This Apple bug is in software that handles the "rtsp:" protocol, which would invoke QuickTime if you visit a website like "rtsp://media.example.com/qt/actionflic.mov".

Looking in the registry on my Windows machine, I find the following protocol-handlers registered under HKEY_CLASSES_ROOT\PROTOCOLS\Handler: about, cdl, dvd, file, ftp, gopher, http, https, its, javascript, local, mailto, mhtml, mk, msdaipp, ms-help, ms-its, res, sysimage, tv, vbscript, wia. A quick look on the web reveals a number of known exploits for some of these, such as MS04-013 for "ms-its:" and MS04-009 for "mailto:". I also see that Firefox has a known exploit for the "shell:" protocol-handler.

Protocol-handlers is still an open area for hackers to find vulnerabilities. I'm sure that several more of the protocol-handlers in Windows, Mac OS X, and Firefox have vulnerabilities that can be easily exploited.

No comments: