Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: The money: protocol in Internet Explorer
From: secure () MICROSOFT COM (Microsoft Product Security Response Team)
Date: Wed, 22 Dec 1999 09:35:41 -0800


Hi All -

The "money:" protocol was designed to allow Money to integrate with
web-based offerings like MoneyCentral.  It allows Money to be started and
navigated, but is designed to always require user approval via a dialogue
before taking any action.  We believe there's no security issue here, but
are doing a full investigation anyway, just to ensure that this is the case.
Regards,

Secure () microsoft com

-----Original Message-----
From: Richard M. Smith [mailto:smiths () TIAC NET]
Sent: Monday, December 20, 1999 2:13 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: The money: protocol in Internet Explorer

Hello,

Here is an interesting problem that I haven't had
the time to looking into fully.  Maybe someone
else can give it a shot.

If a computer has both Internet Explorer and Microsoft
Money installed on it, Money adds a protocol named "money:" to IE.  If
one goes to the IE address box and types in "money:",
Microsoft Money will start up.  The protocol also works
in a JavaScript window.open call.  This means that Microsoft Money
can be started remotely from a Web site or from an HTML-based
Email message.

Some interesting questions here:

   - Does the money: protocol have any buffer overflow
     errors such that x86 code can be injected into
     Money and then executed?

   - What is the URL format for the money: protocol?
     For example, can one do something like the
     following:

money://transfer?from_acct=myaccount&to_bank=swiss_bank&to_acct_no=12345&amo
unt=10000.00

   - If remote attacks are possible, how can the money:
     protocol be turned off in Web pages and Email
     messages, but still have Microsoft Money work
     properly?

Microsoft was demoing Money 2000 at Comdex, and
I showed the money: protocol in IE to the Microsoft
guy running the demo station.  His eyes got big as
saucers.......:-)

Richard

==========================================
Richard M. Smith
Internet consultant
Email: smiths () tiac net
http://www.tiac.net/users/smiths
==========================================


  By Date           By Thread  

Current thread:
  • Re: The money: protocol in Internet Explorer Microsoft Product Security Response Team (Dec 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]