Archive for December, 2007

Monday, December 24th, 2007

Happy Holidays!

Merry Christmas and a Happy New Year to all!

It’s been awhile since Billy or I have posted, as we’ve been busy enjoying the holidays, but rest assured, we’re still working hard. 2007 has been a great year for Billy and I, hopefully we can continue the pace in 2008. I know Billy has several posts to catch up on, and I personally can’t wait to see all the details! In the meantime, I thought I’d update everyone on the research I’ve been doing with URI Handlers on the Mac operating system.

As some of you know, I recently purchased a brand new Mac Book for Christmas. I did some research into how the Mac handles its URI handlers and discovered that URI flaws are not new on the Mac! To my surprise, URI issues have been one of the major plagues of the Mac operating system for some time. The Month of Apple Bugs, from back in January 2007, clearly illustrates several major flaws on the Mac with regards to URI Handling issues. Additionally, Daring Fireball’s site, discusses the issue as far back as 2004.

Well, this peaked my curiosity, so I had to take a deeper look. I found an application called RCDefaultApp, which was developed by Carl E. Lindberg, which gives a graphical representation of URL Handlers (amongst other things) on a Mac. Carl was nice enough to write up some command-line code for me to dump out the URL Handlers. I had expected to modify it up to do exactly what I wanted, but at this time, I’ve just been to busy. In the meantime, the current code can be found here.

This code actually led to the discovery of a new URL Handling bug on the Mac OS X in the most current and patched Leopard version. At this time, I’ve notified Apple, and they expect to have a bug fix out in January, so I will release details at that time. Apple has been great in responding to this issue, and I thank them for working with me on it.

Thanks and Merry Christmas!


Posted by xssniper | Filed in Security, Tools, Web Application Security | Comment now »