[This one stunned me. I triple-checked and tested more than I'd
usually test because I can't believe anyone would implement something
so ridiculous. Perhaps I'm just optimistic. Anyhow, moving on:]
\begin{vulnerability}
About a week ago, mIRC 5.6 was released. Amongst other new features,
it includes the following (from the changelog, versions.txt):
40.Added "Track Urls" switch to System menu in Channel/Query windows,
auto-opens websites as they are mentioned in a window.
With the cooperation of an mIRC user (thanks Lindy_!), I found that it
does exactly as it says -- when it's enabled, mIRC happily tells
Netscape (and presumably IE, if that's the Default Browser) to open
any URLs that it sees.
Now, I don't actively pay attention to the various Windows-browser
exploits that appear here, so I suspect the diligent bugtraq reader
will come up with ickier things to do with this than I, but just off
the top of my head:
* linking to /dev/zero and letting the mIRC user's hard drive fill
* Banners, banners, banners.
* Trojan or virus-infected things, especially if the browser
autoexecutes them.
* http://some.host.name:19/
* flood an IRC channel with URLs, causing the browser to try to
load them up sequentially
Anyhow, wide open. Whatever you can put in a URL, mIRC will devotedly
tell your default browser to load up.
\end{vulnerability}
\begin{soapbox}
It's basically reached the point now where any release of mIRC which
isn't a patchlevel increment contains a significant vulnerability,
which is then patched in a patchlevel-increment release between a week
and a month later. That is, 5.5's dcc-server bug brought a quick 5.51,
5.4's $calc bug, 5.3 and hanson.c, and 5.2's "mIRC worm", which takes
us back to the beginning of the bugtraq archive on geek-girl.com.
Looking at versions.txt, it seems that nearly every mIRC release x.x
has been followed up by an x.x1 or x.x2 bugfix within a few weeks of
its release all the way back to 3.92. (Prior to 3.92, the release
schedule seemed to be characteristic of known-beta-quality software; I
recall 3.92 being basically when mIRC hit the "big time", too.)
Obviously, these non-bugfix releases are being consistently released
prematurely. Just take a look at the release dates at
http://www.mircscripts.com/old/ -- something is *certainly* awry.
mIRC is beta-tested by a small, closed group. It's also the most
popular IRC client in the world. History seems to indicate that
whatever testing takes place isn't anywhere near sufficient. Users
are conditioned to rush for the newest release as soon as it's
available. Perhaps the rush to get that release out is being
prioritized, intentionally or accidentally, over making sure that
the program is reasonably secure?
Certainly, no-one's reviewing code; it seems that they're not even
thinking through the implementations of newly-introduced
*concepts*. Perhaps it's time to revise the testing procedures --
drastically, even? -- to catch these problems before letting them
loose on the huge, dedicated userbase?
\end{soapbox}
-Rich
--
Rich Lafferty ---------------------------------------------------------
IITS/Computing Services | "How should I know if it works? That's what
Concordia University | beta testers are for. I only coded it" -LT
richat_private ----------------------------------------[McQ]--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:33 PDT