WASHINGTON ,

DC . There are alot of

different ways to trick browsers into letting hackers do things that they

should not be allowed to do. Some of them have to do with URIs.

In a presentation at

Black Hat, security researchers Nathan McFeters and Rob Carter argued that URI

exploitation is an area that is still ripe for further analysis and

exploitation.

URI's allow browsers to load applications and protocols for

example http:// for web and ftp:// for FTP. Other common URI's are AIM:// for

instant messaging and firefoxurl:// for loading a Firefox browser.

McFeters noted that every URI

registered on your system can be interacted with by a browser. Application

developers commonly create URI hooks into their apps. Sometimes those URI hooks

can be used by an attacker to do 'bad' things.

One such application with a URI

hook is Google's Picassa photo application. That's where the T-bAG (trust based

applet attack) comes in. The attack involves a user clicking on a Picassa URI

(Picassa://) that causes a button to be loaded inside of a user's Picassa

application. In a nutshell, when the button is clicked the users images can be

stolen by the attacker.

Carter and McFeters were quick to

note that Google has now mostly fixed the URI issue by doing additional URI

bound and validation checks.

McFeters also demonstrated what he

called 'Stupid IM Tricks' where by taking advantage of IM URIs he could trigger

a message to be sent from a victim's machine.

Scary stuff actually that looks

dead easy to do, in my opinion.

Overall McFeters sees URIs as a

target rich environments that affect Windows, Linux and Mac. To make matters

even worse McFeters argued that in many cases there is no need for the URI

(which could lead to an exploit) to exist in the first place.

"I don't think there is a

real reason why we need protocol handlers most aren't really useful,"

McFeters said.