MS08-075: 通过禁用协议处理器减少攻击面

今天微软发布了安全更新MS08-075，修复了Windows Vista和Server 2008中Windows Explorer的一个漏洞，该漏洞通过search-ms协议处理器暴露。这是一个需要用户交互的远程未认证漏洞，因此我们希望为您提供更多关于协议处理器的信息，以及如何通过禁用不打算使用的协议处理器来减少攻击面。

协议处理器快速介绍

协议处理器是扩展Web浏览器功能的一种方式。众所周知的mailto://协议就是一个很好的例子。与熟悉的http://或https://协议不同，mailto://链接会启动您的电子邮件应用程序，并告诉它创建一个发送到特定电子邮件地址的新邮件，还可以选择包含特定主题。

您可以通过检查注册表项HKEY_CLASSES_ROOT\mailto\shell\open\command来查看mailto://协议处理器如何与计算机上的电子邮件应用程序关联。在该注册表项的默认值中，您将看到当您单击mailto://链接或网页在自动检索的URL（如的src值）中引用mailto://时执行的命令行。注册表项中的%1值被替换为://之后的URL其余部分。</p> <p>如果与协议关联的应用程序包含可以通过命令行传递的数据触发的漏洞，这可能是一个严重的攻击向量。恶意网页可以通过在类似<iframe>的src值中放置包含易受攻击协议的URL，在您访问网页时立即将特制数据传递给该应用程序。</p> <p>如果您使用Vista或Server 2008，并且启用了用户账户控制和保护模式Internet Explorer（默认设置），则Internet Explorer 7通过在处理协议处理器之前警告用户来提供对此攻击的保护，显示如下对话框：</p> <h2 id="关于powershell的快速说明">关于PowerShell的快速说明 </h2><p>由于协议处理器在注册表中配置，PowerShell是处理它们的绝佳选择。在本文中，我们提供了几个PowerShell脚本来帮助您处理协议处理器。需要注意的是，默认情况下，PowerShell不允许您运行脚本。</p> <p><strong>警告</strong>：如果您确实修改了执行策略，可能会更容易无意中执行恶意的PowerShell脚本。如果您更改执行策略以运行这些脚本，最安全的选项是在完成后将执行策略恢复为默认的"Restricted"值。</p> <h2 id="如何枚举系统上的所有协议处理器">如何枚举系统上的所有协议处理器 </h2><p>为此，请查找HKEY_CLASSES_ROOT的所有具有名为"URL Protocol"的空字符串值和"shell\open\command"子键结构的子键。以下是我们执行此操作的脚本，并将结果返回到哈希表（名称、值对）中：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="nv">$Results</span> <span class="p">=</span> <span class="vm">@</span><span class="p">{}</span> </span></span><span class="line"><span class="cl"><span class="k">foreach</span> <span class="p">(</span><span class="nv">$Key</span> <span class="k">in</span> <span class="nb">Get-ChildItem</span> <span class="n">Microsoft</span><span class="p">.</span><span class="py">PowerShell</span><span class="p">.</span><span class="n">Core</span><span class="p">\</span><span class="n">Registry</span><span class="p">::</span><span class="n">HKEY_CLASSES_ROOT</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$Path</span> <span class="p">=</span> <span class="nv">$Key</span><span class="p">.</span><span class="py">PSPath</span> <span class="p">+</span> <span class="s1">'\shell\open\command'</span> </span></span><span class="line"><span class="cl"> <span class="nv">$HasURLProtocol</span> <span class="p">=</span> <span class="nv">$Key</span><span class="p">.</span><span class="py">Property</span> <span class="o">-contains</span> <span class="s1">'URL Protocol'</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">((</span><span class="nv">$HasURLProtocol</span><span class="p">)</span> <span class="o">-and</span> <span class="p">(</span><span class="nb">Test-Path</span> <span class="nv">$Path</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$CommandKey</span> <span class="p">=</span> <span class="nb">Get-Item</span> <span class="nv">$Path</span> </span></span><span class="line"><span class="cl"> <span class="nv">$Results</span><span class="p">.</span><span class="py">Add</span><span class="p">(</span><span class="nv">$Key</span><span class="p">.</span><span class="py">Name</span><span class="p">.</span><span class="py">SubString</span><span class="p">(</span><span class="nv">$Key</span><span class="p">.</span><span class="py">Name</span><span class="p">.</span><span class="py">IndexOf</span><span class="p">(</span><span class="s1">'\'</span><span class="p">)</span> <span class="p">+</span> <span class="mf">1</span><span class="p">),</span> <span class="nv">$CommandKey</span><span class="p">.</span><span class="py">GetValue</span><span class="p">(</span><span class="s1">''</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="nv">$Results</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="如何启用或禁用协议处理器">如何启用或禁用协议处理器 </h2><p>要禁用协议处理器，我们的PowerShell脚本（附在本文末尾）从注册表项中删除"URL Protocol"字符串，并在其位置放置"Disabled URL Protocol"字符串，这样我们就知道我们有目的地禁用了它。我们还包含了一个脚本来反转此过程，重新启用协议处理器。</p> <h2 id="结论">结论 </h2><p>如果您想减少攻击面（暴露于未来可能存在的漏洞），可以使用这些信息和这些脚本来禁用不需要使用的协议处理器。我们希望这篇文章对保护您的系统有所帮助！</p> <p>Kevin Brown, SVRD Blogger <em>发布内容"按原样"提供，不提供任何担保，也不授予任何权利。</em></p> <p>Protocol Handler Scripts.zip</p> </section> <footer class="article-footer"> <section class="article-tags"> <a href="/tags/%E5%8D%8F%E8%AE%AE%E5%A4%84%E7%90%86%E5%99%A8/">协议处理器</a> <a href="/tags/%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D/">漏洞修复</a> <a href="/tags/powershell%E8%84%9A%E6%9C%AC/">PowerShell脚本</a> <a href="/tags/%E6%B3%A8%E5%86%8C%E8%A1%A8%E5%AE%89%E5%85%A8/">注册表安全</a> </section> <section class="article-copyright"> <svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-copyright" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round"> <path stroke="none" d="M0 0h24v24H0z"/> <circle cx="12" cy="12" r="9" /> <path d="M14.5 9a3.5 4 0 1 0 0 6" /> </svg> <span>Licensed under CC BY-NC-SA 4.0</span> </section> </footer> </article> <div class="disqus-container"> <div id="disqus_thread"></div> <script> window.disqus_config = function () { }; (function() { if (["localhost", "127.0.0.1"].indexOf(window.location.hostname) != -1) { document.getElementById('disqus_thread').innerHTML = 'Disqus comments not available by default when the website is previewed locally.'; return; } var d = document, s = d.createElement('script'); s.async = true; s.src = '//' + "hugo-theme-stack" + '.disqus.com/embed.js'; s.setAttribute('data-timestamp', +new Date()); (d.head || d.body).appendChild(s); })(); </script> <noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript> <a href="https://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a> </div> <style> .disqus-container { background-color: var(--card-background); border-radius: var(--card-border-radius); box-shadow: var(--shadow-l1); padding: var(--card-padding); } </style> <script> window.addEventListener('onColorSchemeChange', (e) => { if (typeof DISQUS == 'object') { DISQUS.reset({ reload: true }); } }) </script> <footer class="site-footer"> <section class="copyright"> © 2020 - 2025 qife </section> <section class="powerby"> 使用 <a href="https://gohugo.io/" target="_blank" rel="noopener">Hugo</a> 构建 <br /> 主题 <b><a href="https://github.com/CaiJimmy/hugo-theme-stack" target="_blank" rel="noopener" data-version="3.30.0">Stack</a></b> 由 <a href="https://jimmycai.com" target="_blank" rel="noopener">Jimmy</a> 设计 <div class="busuanzi-footer"> <span id="busuanzi_container_site_pv"> 本站总访问量<span id="busuanzi_value_site_pv"></span>次 </span> <span id="busuanzi_container_site_uv"> 本站访客数<span id="busuanzi_value_site_uv"></span>人次 </span> </div> </section> </footer> <div class="pswp" tabindex="-1" role="dialog" aria-hidden="true"> <div class="pswp__bg"></div> <div class="pswp__scroll-wrap"> <div class="pswp__container"> <div class="pswp__item"></div> <div class="pswp__item"></div> <div class="pswp__item"></div> </div> <div class="pswp__ui pswp__ui--hidden"> <div class="pswp__top-bar"> <div class="pswp__counter"></div> <button class="pswp__button pswp__button--close" title="Close (Esc)"></button> <button class="pswp__button pswp__button--share" title="Share"></button> <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button> <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button> <div class="pswp__preloader"> <div class="pswp__preloader__icn"> <div class="pswp__preloader__cut"> <div class="pswp__preloader__donut"></div> </div> </div> </div> </div> <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap"> <div class="pswp__share-tooltip"></div> </div> <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)"> </button> <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)"> </button> <div class="pswp__caption"> <div class="pswp__caption__center"></div> </div> </div> </div> </div><script src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.js"integrity="sha256-ePwmChbbvXbsO02lbM3HoHbSHTHFAeChekF1xKJdleo="crossorigin="anonymous" defer > </script><script src="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe-ui-default.min.js"integrity="sha256-UKkzOn/w1mBxRmLLGrSeyB4e1xbrp4xylgAWb3M42pU="crossorigin="anonymous" defer > </script><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/default-skin/default-skin.min.css"crossorigin="anonymous" ><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.css"crossorigin="anonymous" > </main> </div> <script src="https://cdn.jsdelivr.net/npm/node-vibrant@3.1.6/dist/vibrant.min.js"integrity="sha256-awcR2jno4kI5X0zL8ex0vi2z+KMkF24hUW8WePSA9HM="crossorigin="anonymous" > </script><script type="text/javascript" src="/ts/main.313ab02d2f8415261a3718a5b3d0e35b62826b81a7f2c46c8122082f4cba0bcf.js" defer></script> <script> (function () { const customFont = document.createElement('link'); customFont.href = "https://fonts.googleapis.com/css2?family=Lato:wght@300;400;700&display=swap"; customFont.type = "text/css"; customFont.rel = "stylesheet"; document.head.appendChild(customFont); }()); </script> </body> </html>

通过禁用协议处理器减少攻击面：MS08-075漏洞解析

本文详细解析了Windows Vista和Server 2008中的search-ms协议处理器漏洞(MS08-075)，介绍了协议处理器的工作原理、攻击向量以及如何使用PowerShell脚本枚举和禁用不必要的协议处理器来降低系统攻击面。

MS08-075: 通过禁用协议处理器减少攻击面

协议处理器快速介绍