Ah, its raining in Mountain View today. Well, at least in one building. It turns out that’s there is a a vulnerability in Google Apps that can lead to a local compromise of a users system. Apparently, this can lead to non-privileged code execution.
Um, yeah.
From retrogod:
google apps googleapps.url.mailto:// uri handler cross-browser remote command execution exploit (Internet Explorer)
by nine:situations:group::pyrokinesis
site: http://retrogod.altervista.org/software site: http://pack.google.com/intl/it/pack_installer.html
tested against: Internet Explorer 8, windows xp sp3
Internet Explorer 7, windows xp sp3
Google Chrome 2.0.172.43vulnerability: through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows:
There is a proof of concept on the site as well.
Doesn’t really give folks in Los Angeles a warm and fuzzy one would imagine.