"Mailto:" and Other URI Threats May Target Everyone


If you've been smirking because of the latest security problems coming out of Redmond, such as the Windows XP+IE7+Adobe Acrobat/Reader threat I discussed last week in Didn't Ask for That PDF File? Watch Out! , it may be time to sober up. According to PCWorld.com on Saturday, URI-handling problems like Mailto: are also likely to exist in Windows' biggest rivals: MacOS X and Linux.

URI 101

So, what's a URI? URI is short for "Uniform Resource Identifier." A URI identifies a point of content on the Internet, such as a web page (also known as a URL), an email address, a Telnet server, and so forth (see this PC Magazine page for a list of the most common URI schemes). Of course, URIs are used inside of web browsers, but email clients, word processing programs used as email editors, Adobe Acrobat and Adobe Reader are just a few of the applications that can interact with the mailto: URI, for example. Until now, Microsoft's attitude has been that applications that interact with URIs should be responsible for checking for threats, but that attitude is changing, as evidenced by last week's security advisory : Microsoft has now decided that it's up to the operating system to keep an eye on applications' use of URIs.

All Will Be Revealed..at ToorCon 9!

So, will Linux and MacOS X be the next under the hammer? Attendees at the ToorCon 9 hacker/security conference in San Diego this week will have front-row seats for the latest word on this topic. The presentation URI Use and Abuse is the place to be to learn about the latest threats to all major players in the operating systems game. If security researchers' suspicions about other operating systems are accurate, it looks as if everyone will be in for a few rounds of software updates.

In the Meantime...

...you know the drill. Hover the mouse over a URL or URI from a suspicious source to find out where it really points to, ignore all those dire warnings from "your bank" or from "eBay" that your account's gone down the tubes unless you click now, and, in general: think before you click .

Around the web