MSN, Word Vulnerable To Shell: URI Exploit

LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."

Fixed in SR2?

[djtripp]

Well at least Mozilla will fix theirs...

Re:Fixed in SR2?

[ROOK*CA]

Mozilla already fixed this vulnerabilty (Mozilla 1.7.1 & FireFox 0.92) took what 3 or 4 days after it was discovered ?

Microsoft will surely fix this in no more than 2 "Microsoft" Days which is around 6 months for the rest of Earth's population.

Re:Fixed in SR2?

[IoN_PuLse]

According to newsforge, it took "barely a day" for Mozilla to release new builds and patches.

Re:Fixed in SR2?

[afidel]

More like 2 years . The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made. The decision was made recently to switch from a blacklist system to a whitelist system. This happened to coincide with lots of people switching to FireFox for security reasons and all of the sudden there was a patch to change the default behavior.

Re:Fixed in SR2?

The article title should be changed to "Microsoft products also vulnerable to Microsoft flaw"

Re:Fixed in SR2?

[ROOK*CA]

Thanks for the correction guys, very informative as well....

I guess it would be more accurate to say that Mozilla corrected the vulnerability quickly after it was WIDELY publicized.

Just goes to show ya the Bugzilla scholars DO add value ;-) ...

Re:Fixed in SR2?

[prockcore]

The origional bug relating to handing off unhandled URI's to the OS goes back that far. It kept getting marked as "will not fix" because it was a stupid architectural decision that some of the guys at Netscape made.

It was hardly a stupid decision. Passing unhandled URIs to the OS is a perfectly acceptable thing to do. Unless you think that handling things like ed2k: URIs and other yet-to-be-invented URIs is a bad thing.

Perhaps the URI handler built into the OS needs a local versus foreign flag..

Re:Fixed in SR2?

[TheVidiot]

If only Firefox would stop with the exclamation mark that wants me to 'update' my Firefox 0.9.2 to version 0.9...

I'd feel better!

Re:Fixed in SR2?

Jesus, would you stop quoting that fucking bug report. When it came out as a security exploit, they fixed it within a few days. Whoopdeshit, the bug report was filed in 2002 when it was a concept and not a bug. Dipshit

Re:Fixed in SR2?

[LO0G]

Right now, the Microsoft bug's a concept, not a bug.

So you're saying that it's ok for Microsoft to wait two years to fix it?

I didn't think so.

Re:Fixed in SR2?

[GarfBond]

It kept getting marked as "wontfix" because there wasn't a reason to fix it yet. There was no demonstratable exploit, back in 2002 it could be described as an 'academic discussion.' Of course it turns out they were right on the money, but when that happened it only took a day to fix too.

Re:Fixed in SR2?

It is thinking like this that leads to the gaping security hole that is Windows.

Re:Fixed in SR2?

[CaptainABAB]

http://www.eweek.com/article2/0,1759,1622074,00.as p

"In discussions with representatives of the Mozilla Foundation, they conceded this indeed was a bug and didn't try to foist the blame on to Microsoft. And that's because they know what's usually perfectly obvious: that browsers are supposed to look suspiciously at content and try to protect the user. There's little to be gained by a defense that it's Windows fault, not when you wrote the application to tell Windows to run whatever content comes up.

...

But even IE in Windows XP SP1 behaves more reasonably. Its behavior is identical to that of a straight href of the program file. The user is asked if they want to save or open the file and are given a clear warning that the program could be hazardous.

How did Microsoft get Internet Explorer do this? It actually looks as if IE just stripped the 'shell:' from the link and treated it like a regular href. This is an interesting thought, still the important point here is that Microsoft didn't just take a program name and tell Windows to execute it. "

Re:Fixed in SR2?

Of course, that also means that Microsoft knew about the problem for 2 years as well. Remember, this is only a problem because Microsoft isn't handling shell: correctly.

Not Invented Here has been in full swing at Microsoft for far, far too long. SP2 getting delayed to August is just the tip of the iceberg due to the mess they're trying to clean up.

The Microserf workload just got increased. Poor serfs.

Re:Fixed in SR2?

So what you're saying is that it's taken at least 2 years (and counting) for Microsoft to fix the shell: URI handler, despite having multiple exploits?

Yes, I agree!

Microsoft keeps patching the various ways to invoke it incorrectly due to their pathetic clinging to zones as an effective security mechanism. XP is a leaky ship and conceptually they've kept deciding to shove off and jury-rig plug the holes as they go along. They need to put the damn thing in dry dock and fix the hull or else, sooner or later, the people running XP are going to drown.

Re:Fixed in SR2?

[Ponkinator]

Actually it isn't a Mozilla bug but rather an OS bug. Even so, people started switching from IE to Firefox and now they should start switching from MS Office to OpenOffice. As long as they're going to do that, they might as well make the transformation complete and switch to Linux.

Re:Fixed in SR2?

[Mr_Silver]

It was hardly a stupid decision. Passing unhandled URIs to the OS is a perfectly acceptable thing to do. Unless you think that handling things like ed2k: URIs and other yet-to-be-invented URIs is a bad thing.

Passing unhandled URI's to the OS is fine as long as you give the user the opportunity to allow this to happen and maintain a list of those which the user agrees can be handled this way.

Perhaps the URI handler built into the OS needs a local versus foreign flag.

Alternativily, it would be a lost faster if you just implemented whitelisting in Firefox. Which is what I think they are planning on doing.

Re:Fixed in SR2?

[FictionPimp]

How did Microsoft get Internet Explorer do this? It actually looks as if IE just stripped the 'shell:' from the link and treated it like a regular href. This is an interesting thought, still the important point here is that Microsoft didn't just take a program name and tell Windows to execute it. "

That should have this added onto the end:

Why didn't microsoft fix the problem instead of work around it in IE? Well, by not fixing the actual issue they could help make their own software look better then 3rd party vendors. Although this tactic backfired when some programs (MS word) forgot to use this workaround.

indiana jones quote

[Jrod5000+at+RPI]

Intelligence Guy: "We have top men working on it right now."
Indy: "Who?"
Intelligence Guy: "Top... Men..."

Haha

[mboverload]

Looks like Microsoft has been copying some source

=P

Re:Haha

[IoN_PuLse]

Actually, it was their source that was the root of the problem in the first place. The whole "shell" thing is only in windows, unfortunately the article titles lead people to believe that it is a problem with Mozilla across all platforms, when in reality it only affects those running on a Windows platform.

Re:Haha

[Chiisu]

been watching Antitrust? ;)

Comment removed

[account_deleted]

Comment removed based on user account deletion

My mind is spinning

[tentimestwenty]

Aren't we over our bugs-o-the-day limit?

Re:My mind is spinning

[DeepHurtn!]

MS Bugs: They're the New SCO.

Open Source vs. Microsoft

[ZZeta]

Well now, let's see how long it takes for their patch to come out.

Re:Open Source vs. Microsoft

Well now, let's see how long it takes for their patch to come out.

Not as fast as the FUD they'll put out.

Re:Open Source vs. Microsoft

[LostCluster]

Well, what Microsoft users have shown time and time again is even when the patch does come out, it's often not applied on many machines.

Re:Open Source vs. Microsoft

Well, it was reported against Mozilla about two years ago, so I guess if MicroSoft fixes it before 2006 they would be more responsive than the Mozilla folks, yes?

Re:Open Source vs. Microsoft

[Pharmboy]

Its not a bug, its a feature. Besides, its more FUD than fact. As long as the offending packet has the Evil Bit set, then there is no chance that any Microsoft software can be exploited. As for Linux, I am not aware of any kernel patches that can utilize filtering by Evil Bit, although I am sure the BSD crowd has already addressed this issue.

Re:Open Source vs. Microsoft

And we ALL know that if Linux were on 95% of the desktops users would ALWAYS keep their machines up to date with the latest patches.

Let's face it - the reason most Linux boxes stay updated is because we're geeks who check for that sort of thing. Ma & Pa Kettle tend to forget little things like that. It's why I set my parents XP box to auto-update.

Re:Open Source vs. Microsoft

[KarmaMB84]

Let's see if they patch ALL supported versions or just the latest versions.

Word 2004 for OSX Safe?

[artlu]

Anyone know if Word 2004 for OSX is safe from the URI exploit? I know that the macs have been having trouble with the URI exploit over the past few months based on some articles I've read at macslash.
Aj

GroupShares Inc. - A Free and Interactive Stock Market Community

Re:Word 2004 for OSX Safe?

[afidel]

Well since the Mozilla URI exploit was specific to XP I would imagine that these exploits would likewise be limited to a vulnerable OS.

Re:Word 2004 for OSX Safe?

[Alex+Brasetvik]

Mac OS X' Safari had a very similar flaw, where one could use disk:// to mount a disk image, which could execute whatever it wanted to.

That flaw was fixed with the 2004-06-07 security update.

Re:Word 2004 for OSX Safe?

[Alex+Brasetvik]

Sorry for being inaccurate first.

It wasn't really Safari being exploitable, but "LaunchServices":

Impact: LaunchServices automatically registers applications, which could be used to cause the system to run unexpected applications.

The flaw basically worked the same way as the shell://-exploit -- making the OS decide what to do with the protocol.

Re:Word 2004 for OSX Safe?

[afidel]

Troll? Wow, posting correct information is now considered trolling. I really hope someone nails that idiot in metamod.

Re:Word 2004 for OSX Safe?

[argent]

The problem in Mac OS X wasn't fixed. Only the particular symptom of it that produced the disk: and help: vulnerabilities. The underlying design flaw, that of having a single set of protocol and application bindings for both trusted and untrusted objects, still exists in both Windows and Mac OS X.

This has been the biggest continuing problem with Windows security for most of the past decade, and I'm sick of it.

Re:Word 2004 for OSX Safe?

Furthermore, it is still an open question whether the KDE/Gnome equivalent of "LaunchServices" is vulnerable or not. People are too busy bashing Windows to say one way or another.

Re:Word 2004 for OSX Safe?

[argent]

A URI exploit in Word is a relatively minor issue, so long as Word contains a macro language that can execute arbitrary code. It's kind of like worrying about whether you left the stove on when you're fleeing because there's a cruise missile targeting your home.

Re:Word 2004 for OSX Safe?

[System.out.println()]

That's not quite accurate. The disk:// protocol was a part of the exploit, but that protocol did not allow a website to run anything - only to auto-mount a disk or disk image.

The real threat was the fact that programs could auto-register a new protocol that would be "handled" by a program contained within said disk image. Linking to exploit:// (as an example) would then launch the program that had registered itself as the handler for the made-up protocol. Thus, clicking on a link would run the program.

In any case, that Security Update did indeed fix it by asking the user the first time a new protocol's handler was added.

Re:Word 2004 for OSX Safe?

There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.

What, I'm supposed to wait to use the jury box until after everyone has made a speech and after all voting is done? Elections are more important than juries? "Use in that order" sounds cool, but it doesn't really fit here, does it?

Let me guess - you thought up this sig yourself...

Re:Word 2004 for OSX Safe?

[(negative+video)]

A URI exploit in Word is a relatively minor issue, so long as Word contains a macro language that can execute arbitrary code.

You can tell Word "No, fool, don't execute macros in this random document I just downloaded off the Interweb."

You cannot tell it to not follow URIs for embedded images and such.

Re:Word 2004 for OSX Safe?

[argent]

What's the difference between a dialog that says "do you want to execute macros" and a dialog that says "do you want to follow this link"?

I'll tell you, if you tell it you don't want to execute macros you can't even *see* the macros to tell if they're safe or not, so you still have to take them on faith.

Re:Word 2004 for OSX Safe?

[spitzak]

This is not really accurate. The Mac had a unique exploit, in that something a url did would "register" a new protocol handler. The page could then send a request for that protocol and it could execute arbitrary code supplied by the page. The second step is equivalent to the shell exploit, but without the first part it is limited to executing code already installed on the system (not that this is good, but it does not seem as bad...)

On Windows I don't believe you can register a new protocol unless you actually execute a program. If there was a bug that allowed new protocols to be registered it would pretty much mean it is a bug that allowed arbitrary code to be executed, which would be a huge hole whether or not protocols could be registered.

Re:Word 2004 for OSX Safe?

[Halfbaked+Plan]

Being able to automount a disk image can be a very useful exploit, though. Mount it over /usr or /usr/local and you've done something very powerful.

Re:Word 2004 for OSX Safe?

[argent]

The Mac had a unique exploit, in that something a url did would "register" a new protocol handler.

That's the first I've heard of it.

The disk: URL would map a n internet enabled disk image into the file system in a known place, and a following file: URL would execute code from the disk. This is the same kind of privilege escalation as on the Windows exploit that involved knowning the name of the temporary file that a web page or mail message was stored in, and then providing a file: URL that would load it with local privileges.

The fundamental problem is that the application, Safari or Internet Explorer, automatically uses all protocol handlers or helper apps anyone has registered, instead of only using those that have been marked (by being registered with the application, or by being registered with a special flag) as 'internet safe', and handling pages itself in a sandbox rather than handing them off to a more gullible application.

There are just so many exploits, no matter what the details, that depend on this charmingly naive "security model' that it should have gone on the junkheap long since.

Re:Word 2004 for OSX Safe?

[System.out.println()]

Your nickname is surprisingly accurate. :)
I'm pretty sure you can only mount a disk to the default /Volumes/ directory. ...or used to be able to. The Security uupdate closed that protocol completely.

Re:Word 2004 for OSX Safe?

[Biogenesis]

Which is really good for bored hackers like me with too much time. Now, I've gotta install that dish to log into that "default" wifi network with a D-Link MAC I detected last night...

Re:Word 2004 for OSX Safe?

The disk: URL would map an internet enabled disk image into the file system in a known place, and a following file: URL would execute code from the disk.

You are mistaken. file: URLs have never been able to execute code on Mac OS X. The applescript: URL did (in Help Viewer), and the later exploit involving automatic protocol handler registration did not depend at all on prescribing the path name of the executbale.

Re:Word 2004 for OSX Safe?

The trick was to register a bogus protocol handler with the mounted disk -- "foo:" instead of "file:". This did allow remote code execution.

Re:Word 2004 for OSX Safe?

[IamTheRealMike]

However iirc the file:/// scheme still works, so you don't actually gain anything. You can still open arbitrary files, meaning that if you can find a buffer overflow in any OS X system applications you can escape the browser sandbox.

It's for that reason that Mozilla salts the profile directory.

Re:Word 2004 for OSX Safe?

[System.out.println()]

file:// only opens the file in the Finder, it can't be used to run anything from what i can tell.

Re:Word 2004 for OSX Safe?

[argent]

file: URLs have never been able to execute code on Mac OS X

I just fed file:/path/to//executable.app to LaunchServices on a 10.3.4 without the latest security patch[1] and it worked.

In any case, the details of how this particular exploit used insecure protocol handlers to trick the system into executing code is not as important as the fact that Mac OS X was (and still is) using a single set of application bindings for both local applications (including system software) and remote untrusted documents. THAT is the core problem, the one that has been dogging Microsoft for almost a decade. I hope Apple doesn't take as long to wise up.

[1] I don't have the latest patch applied because it breaks Paranoid Android, and Paranoid Android is a better solution because it allows me to control what protocols I allow, rather than just disabling the ones that problems have been discovered in.

Re:Word 2004 for OSX Safe?

[spitzak]

No, in fact the Mac bug really was getting a new protocol handler installed. The "disk image" would contain a program that had as a resource an indicator that "I handle the foo: protocol". Just seeing this disk image would cause Mac to remember that "if I see foo:, run the program on the disk". Then the malicious page would send a foo: request and get the code on their disk image executed.

Being able to run an arbitrary thing by filename is such an obvious hole that they plugged that long ago. But this uses the protocol to get around it.

Re:Goes to show...

[Frizzle+Fry]

The article is short on details. Does this really work on xp sp2? I know that xp sp2 protected against the Mozilla exploit, so I would imagine the same is true here. Which would make your claim that these sorts of things are only fixed "in the open source world" seem pretty specious.

MSN and Word?

Fortunate that I don't have them then! :)

Quite a coincidence

[cookie_cutter]

How obscure is this bug?

If it's non-obvious and contrived, is it reasonable to assume that Microsoft could be lifting, or at least peeking at, code from the mozilla project and replicating it in their own browser?

Naw; if that were true, IE wouldn't suck so much.

Re:Quite a coincidence

[LostCluster]

It's not as much a bug but a dumb feature.

shell:[program-name] is supposed to be a URI syntax for running any given program on the computer. Of course, this is a slightly dangerous thing to have available for any given document to trigger unannounced, but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed.

Re:Quite a coincidence

[Platinum+Dragon]

It's not reasonable at all, if I understand the nature of the shell: exploit in Mozilla.

shell: is handled by Windows itself. The browser simply passed the URI on to be dealt with, as Microsoft programmers intended.

Although there were concerns about allowing the browser to hand off unrecognized URIs to the underlying operating system two years ago, this particular exploit was recognized and patched within a day, by preventing Mozilla from passing shell: stuff on.

Basically, it's an exploitable Windows function that could be accessed through Mozilla and other programs written to allow such things.

Another successful shot in the foot from Redmond.

Re:Quite a coincidence

[StrongAxe]

If it's non-obvious and contrived, is it reasonable to assume that Microsoft could be lifting, or at least peeking at, code from the mozilla project and replicating it in their own browser?

Naw; if that were true, IE wouldn't suck so much.

That is only true if they are lifting good code fragments. However, the very fact that it has this bug puts that assumption into question.

Re:Quite a coincidence

[mldl]

The mozilla code fix amounts to: if (URI == "shell") nsJustSayNo(); There isn't much to steal. However that's only the temporary fix of "destroying the keys", I'm sure destroying the lock is far more difficult.

Re:Quite a coincidence

[TrancePhreak]

Yeah, I'm sure that Moz code will work in IE without having to hack it together at all.... Or not.

Re:Quite a coincidence

[IoN_PuLse]

Like VBScript in Word, where macro-viruses sprung from.

Re:Quite a coincidence

[makomk]

Although there were concerns about allowing the browser to hand off unrecognized URIs to the underlying operating system two years ago, this particular exploit was recognized and patched within a day, by preventing Mozilla from passing shell: stuff on.

Actually, it's even better than that. In Mozilla, the URI type blacklist is user-configurable, so adding another protocol to the blacklist is as easy as adding a line to the configuration file. AFAIK, Microsoft'll have to modify the actual programs to get the same effect. Really, there should be a system-wide blacklist (or possibly flags in the URI handlers' registry entries) of URI types that untrusted pages shouldn't be allowed to use, though.

Already fixed?

[Marxist+Hacker+42]

I just tried it in Microsoft Word 2002, with XP SP1 and all of the approved hotfixes for my agency, and it restricted it just fine- wouldn't even recognize it as a hotlink.

Re:Already fixed?

[ttldkns]

nah, you see, what you have to do is go insert>hyperlink and paste something like shell:c:\windows\explorer.exe in the hyperlink box and then click ok. It will then pass the unknown protocal off to windows like mozilla did and windows will answer. Only works on windows NT,2000, and XP though.

Re:Already fixed?

[Marxist+Hacker+42]

I get "Cannot Find shell:c:\windows\explorer.exe". And yes, I doublechecked Explorer.exe's location. The fact that the error message is including "shell:" tells me that it's simply not interpreting the protocol correctly in Word 2002, XP SP1. Might work in Office 2000 though, or some other version, YMMV. Of course, the State of Oregon is too cash poor to provide contractors with Office 2003.....

Re:Already fixed?

[jesser]

You're using the wrong URL. It's

shell:windows\explorer.exe

Re:Already fixed?

It doesn't work in 2003. It a) earns that opening hyperlinks is unsafe yadda yadda Yes or No
then b) says the folder shell:c:\winnt\explorer.exe doesn't exist

Re:Already fixed?

[ad0gg]

Tried both in messenger and word.

Word popped up a warning but ran explorer after I clicked OK.

Messenger asked if I wanted to download explorer.exe with a big warning saying files could contain viruses and be harmful.

What was the exploit again?

Re:Already fixed?

[mlk]

Just tried in Win2k with Word 2K (both almost fully patched)
shell:c:\winnt\explorer.exe
shell:windo ws\explorer.exe
shell:winnt\explorer.exe
shell:e xplorer.exe
all don't work.

Re:Already fixed?

Exploit works in Word 2000 (9.0.6926 SP-3) on WinXP SP1 with full patches but not in OpenOffice 1.1.1. ;-)

Re:Already fixed?

[pep11]

did you try c:\Program files\Internet Explore\IEXPLORE.EXE ?? on win2k with word 2k I have a warning but it launches IE I wonder if it works with a samba fs \\something.exe ??

Re:Already fixed?

You're using the wrong URL. It's

shell:windows\explorer.exe

I just tried that in Firefox, and it resolved to www.shell.com. Just goes to show that big business has been in on this since the very start. Time to vote Bush out of Office.

Re:Already fixed?

[Marxist+Hacker+42]

Ok, yes, that worked where including the drive letter didn't.

Re:Already fixed?

[Marxist+Hacker+42]

Popped up the warning AFTER I removed the drive letter and tried a straight shell:windows\explorer.exe . But a warning AND a ctrl-click? Not a very strong exploit at all.

Re:Already fixed?

[Marxist+Hacker+42]

Hmm- Word 2002 and XPSP1 did the shell:windows\explorer.exe after a warning- but the warning WAS there.

Re:Already fixed?

[mlk]

That does not work for me either.

Bah, I'm upset now :'(

Can only allow programs to be run...

[NightWulf]

According to the article "Malicious hackers could launch programs associated with specific extensions using links embedded in Word documents or instant messages sent using MSN. However, the vulnerability does not allow attackers to pass instructions to the programs..." Now call me crazy, and I know i'll probably piss off the microsoft hating people here, but what harm is there really? What's some "hacker" gonna do, open up Acdsee and show my porn collection to well...me? Maybe pop open a few dozen IE windows or programs to force me to reboot? If there's nothing else being transferred it's really just more of a nuisance than something major. Or am I just reading this wrong?

Re:Can only allow programs to be run...

[mibus]

If nothing else they can hang your machine... the original exploit contains a DoS example.

Also, some apps aren't so friendly - wouldn't it be funny if there was a reboot.exe... ;-)

Re:Can only allow programs to be run...

[sbszine]

Maybe they could delete your hard drive, or open ports to let something really nasty in, or use your email client to send spam. Depending on what it can pass to the shell, this could be very nasty indeed.

Re:Can only allow programs to be run...

[MisanthropicProgram]

I don't know. MS, in their quest to make things user friendly, has allowed some very insecure things in their OS. I don't of any, but I'm sure some hacker who knows every little in and out of all of MS's products could do some serious damage.

Re:Can only allow programs to be run...

[Platinum+Dragon]

However, the vulnerability does not allow attackers to pass instructions to the programs..." Now call me crazy, and I know i'll probably piss off the microsoft hating people here, but what harm is there really?

Malicious web site quietly downloads executable that is the Son of Back Orifice, in a way similar to how your favourite spyware and malware installs itself.

Malicious website contains shell: URI referencing location of said executable, which does not require arguments to start.

Victim is tricked into clicking on dangerous link, or .exe is automatically executed via a script that passes a shell: URI.

Pwn3d!!1!!1!11!!!11

This is just off the top of my head--I'm sure someone more knowledgable about Windows exploits could have great fun with this.

Re:Can only allow programs to be run...

[Lord+Bitman]

You don't?

Re:Can only allow programs to be run...

[mr_burns]

how about a worm or virus spreads for a few months and lies dormant so nobody notices, nobody issues AV patches, then the attacker(s) use this URI exploit to trigger the nasty payload in one swell 15 minute swoop.

Instead of having code in there that waits till a certain time to activate (which could be detected by a host based IDS) or needs to download another component from rooted server x (that could be blocked at the router or local firewall level) there would be nothing wrong, and then sudenly all over the globe everything is wrong.

pretty nasty

Re:Can only allow programs to be run...

well... obviously, it will try to fetch and install an open mail relay, and spyware to keystroke log your session and swipe your passwords, cookies, and contact lists for further hacking.

also, if you have a fast connection, you will be hijacked and used to post spam and other illegal things using your login and ip address.

you may have to argue pretty hard about how stupid you are if you don't want to be liable for those sort of things

Re:Can only allow programs to be run...

[TiggertheMad]

The article is rather vague on this point. The could mean that Hackers cannot pass command line parameters to the programs, which would probably make the bug more of a nusance. OTOH, they could mean that once started, they cannot interface with the text window/GUI. This would be a big deal to me, because as I mentioned, it might allow them to pass command line parameters when starting it.

For example, FORMAT c: \Y or something similar to bypass the fail-safe that the FORMAT command had?

Re:Can only allow programs to be run...

[netsharc]

Trying to format the system drive from inside Windows would bring the error message "Cannot format, drive in use." (or something similar) Go ahead, try it. ;)

Re:Can only allow programs to be run...

[TrancePhreak]

Considering it doesn't allow you to pass parameters as mentioned by the article, all of that would be very hard to accomplish.

Re:Can only allow programs to be run...

[Tatarize]

Yeah, you gotta hit them with a deltree.

Re:Can only allow programs to be run...

for now, until someone figures out a way to do that.
it wont take long either

Re:Can only allow programs to be run...

Which OS are you running?

Re:Can only allow programs to be run...

how about a worm or virus spreads for a few months and lies dormant so nobody notices, nobody issues AV patches, then the attacker(s) use this URI exploit to trigger the nasty payload in one swell 15 minute swoop.

We're lucky. Virus/worm writers are to lazy to wait for a payday. Damn kiddies want the payday now - and what do they have ---- nothing, they DOS Yahoo! or MSN... BFD.

Once a virus or worm actually does something besides POC I will worry about them, until then, fix the exploit then move on. Please stop with the doomsday Mr. Bush.

Re:Can only allow programs to be run...

[TiggertheMad]

True, but I was only using that as an example of potential BADTHINGS(tm) that could happen if parameters could be passed. Even if it would execute, FORMAT still has the fail-safe steps to make sure that you don't accidentally nuke yourself.

Would rm -rf have been better? (It's been awhile, that syntax may be slightly off...)

Re:Can only allow programs to be run...

[Pikhq]

shutdown -r

Re:Can only allow programs to be run...

[DarkOx]

I would say for the most part your right, I can think of only a couple of things that would be real nasty to do on a winbox without any arguments or user input however there are many things that could be real nast with as little as on "ok" which because so many win users are used to pressing "ok" without reading could really mess people up good.

Re:Can only allow programs to be run...

Want to try an experiment?

How about we run an "Ask Slashdot", where we nominate the best "shell: xxx" string. You promise to run the winning entry on your system and report back the results to all of us.

I suggest that you have a second computer handy for posting the result...

Re:Can only allow programs to be run...

[Pieroxy]

You mean you don't have the "c:\deletealldata.bat" file on your harddrive in case the police knocks on your door to check on all those nice mp3s? Now that I'm thinking about it, I'll probably rename it something less obvious :-)

Re:Can only allow programs to be run...

[DeadMeat+(TM)]

There's an explanation here of how it could be used to exploit buffer overflows in apps.

Re:Can only allow programs to be run...

[IshanCaspian]

> or open ports to let something really nasty in

Yeah, like an exploit that lets you run arbitrary code with nearly unlimited user priviliges, you could do a lot of damage with that...

oh wait....

Re:Can only allow programs to be run...

[HermanAB]

OK, try this one on WindowsME (I know, that's all I had around here, that isn't Linux):

shell:windows\cleanmgr.exe

That gives an instant blue screen.

Windows has always had these half-assed programs that are actually part of something else and which should not be run on their own. So all you need to do is find one like that for WinXP...

Re:Can only allow programs to be run...

[HermanAB]

I tried this one, but could not figure out a way to make it work - yet...
shell:windows\command\deltree.exe /y c:\
Anyhoo, try this one on Windows ME:
shell:windows\cleanmgr.exe
MUHAHAHAHAHAHAHA!!!

Re:Can only allow programs to be run...

[LiMikeTnux]

like someone posted earlier, you can use notepad to open a file over and over, of a program with a buffer overrun sploit, and become god of their system

The War

[POds]

So open source is literally infecting MS Windows :) So this is how we plan to take down the empire?

Re:The War

[Neil+Blender]

So open source is literally infecting MS Windows

So it appears that Ballmer was right all along.

Re:The War

[MisanthropicProgram]

I find it interesting watching moderation of posts like yours: it goes from Troll...to Funny...to Troll... to ???
Different moderators - different tastes.

You know what? If I had a really hard programming assignment and no books to read up on it, I would go to an Open Source Project to see how they did it. Call me whatever you like. But if my job and my livelyhood were on the line, I don't know what I would do....

Ready...set...GO

[linuxwrangler]

By the time the Mozilla story was posted on Slashdot the fix was already available - the link was even posted with the story.

I don't see a patch posted with this story so I guess there's no way Microsoft can win the patch-speed race for this bug - all we will be able to do is place bets on just how much slower Microsoft is. Predictions, anyone?

Re:Ready...set...GO

Don't worry, it'll be in SP3

Re:Ready...set...GO

[Pharmboy]

Don't worry, it'll be in SP3

Might as well say it is included in Half Life 2. Or Doom 3.

Re:Ready...set...GO

Might as well say it is included in Half Life 2. Or Doom 3.

Or Duke Nukem Forever! Ha!

Damn, those jokes keep on getting better every time someone tells them, I swear.

Re:Ready...set...GO

[hoggoth]

> Don't worry, it'll be in SP3

Microsoft announced today that SP3 will be ready very soon. Also, they are rebranding it: "SP3 Forever".

Re:Ready...set...GO

[TrancePhreak]

Or there's the reality, that it has been fixed for along while back and is only found in older versions of the software.

Re:Ready...set...GO

"By the time the Mozilla story was posted on Slashdot the fix was already available - the link was even posted with the story."

I still don't think 2 years was oh so fast.

Re:Ready...set...GO

Or Duke Nukem Forever! Ha!

Naaah... that's being too harsh, even for Microsoft.

Now we know.

[azuretongue]

Now we know wether the shell scheme bug was in the OS or the application :)

David Lettermen Quote

"while you guys were down here talking, we were upstairs having hot buttered corn"!!!

HeHe!

Misinformation...

[Dwonis]

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed," the company said in an e-mail statement.

(Score: -1, Troll)

I find it interesting how they talk about "no exposure to malicious attackers", as if their products are magically invulnerable until someone discloses the hole to the public.

Re:Misinformation...

[Nevo]

Actually, to a large extent, Microsoft is right here. It's no secret that as soon as a patch is released, the bad guys diff the new and old versions of the file to see what changed, which leads them right into creating an exploit.

Without the diff, it's a LOT (and I do mean a *lot*) harder for the population at large to create these attacks.

To a very large extent, there ARE no malicious attackers when the fix gets out before word of the exploit does.

Re:Misinformation...

[swillden]

To a very large extent, there ARE no malicious attackers when the fix gets out before word of the exploit does.

That's because there are just so *many* holes for attackers to choose from. Why would they waste time looking for new ones? Just let the security community find 'em!

Comment removed

[account_deleted]

Comment removed based on user account deletion

"Mozilla is just as bad as IE"

[Mitchua]

HA! Take that M$ :-D

Two words come to mind

[peragrin]

HA HA

Does it also count as the obligatory Simpson's quote?

Re:Goes to show...

[tolan-b]

Oh good, I'll go and download SP2 then... What's that? It's been delayed to mid-August? Oh dear!

Re:Goes to show...

The URI exploit in its general form is mitigated by the fact that you can't pass any command-line arguments to the command. So you can launch a bunch of Notepads, so what? However, you CAN type a filename in and have it open in its associated application. If that filename is too long, you can exploit a buffer overflow in the helper application. There happens to be a plentitude of client applications on a standard XP box with buffer overflow possibilities. Once you're there, go anywhere you want with the privileges of the user on the XP box (which is usually admin, and if not, you can usually get admin without a lot of effort).

Anyway, SP2's memory protection would have prevented the overflow attack. It would not have prevented the most general (and less harmful) form of the attack, however.

What the original poster was probably meaning, if he had a point at all, was that non-Windows systems don't do this sort of "command-line-as-a-protocol" bullshit because it's quite obviously the wrong way to do things. Security through obscurity works in a lot of cases because people think "nobody would EVER design an OS that did THIS" and they never bother to look. Well, now someone's looked and found an ancient kludge coded by someone who probably doesn't even work for MS anymore. And more man-hours are going into fixing this bug than would have gone into creating a proper implementation of whatever this goober was trying to accomplish in the first place.

That said, Open Source isn't pixie dust that makes everything happy and secure. Stupid things happen in Linux. They just happen in the open where people can find them and fix them before applications start relying on them to function.

Re:Goes to show...

... what gets patched in the open source world gets exploited further in the proprietary world. MS should probably pay more attention to projects like Mozilla... it might save them a lot of time and effort in the long run.

SFU you smug asshole

Can we call them beleaguered now?

[BandwidthHog]

I mean c'mon, WebSideStory confirmed it today and all.

Re:Can we call them beleaguered now?

[Phroggy]

Yes.

Hello Mr. Time Traveller

[Lochin+Rabbar]

I kI know that xp sp2 protected against the Mozilla exploit

Are you posting from the future, sometime like september? Which might be after sp2 is finally released, because given MS's history just because something is fixed in the beta doesn't mean it will make the final cut.

only fixed "in the open source world" seem pretty specious

That's not what was said and you know it.

Difference between MS and the rest

[Todd+Knarr]

I think the handling of this problem demonstrates the difference between Microsoft software and other software like Mozilla. In Mozilla, the problem didn't even require a real patch to fix, just a quick config setting to tell it not to pass things along to the shell: handler. My bet is that fixing Word etc. will require not just multiple registry changes but actual new code to allow shell: to be disabled. And odds on the first thing they try is to just add filters, and we'll see half a dozen iterations of exploits of this using different ways past the filters until MS finally includes a patch to allow it to be disabled.

Re:Difference between MS and the rest

It will also break a lot of your in-house applications because they haven't been broke lately. Oh yeah, you know they one guy with the MS Office CD? His ass is going to be pretty busy since every computer in the organization will now need the disks to make changes to office.

Re:Difference between MS and the rest

There is a pretty big difference between the amount of shit piled on top of Mozilla vs Word/MSN. Consider all of the applications (corporate mostly, but not entirelly) that use Word at some point internally.

Even if they had a patch right away, it would take a while to put it through the QA labs at MS to ensure it doesn't break anything vital. Mozilla just rolled the patch into a nightly build, ran some unit tests and released it. They didn't have to worry about it breaking 6,000 custom designed applications.

the other one _wasn't_ Mozilla's falut

it simply passed on requests it didn't understand, it was a bug in the OS itself,
the Mozilla hack is just that, a hack to
cover a deeper Windows vulnerability.

Easy solution

There's an easy solution to this. In fact, I'm using the solution right now.

I'm typing this on my computer running Windows 98. This overlooked operating system doesn't have the bloat that other OS's have, and it's a lot more secure. We don't even have the shell protocol, so there's no shell exploit to worry about it. Just turn off file sharing, use Mozilla, and everything's great.

Re:Easy solution

[PenGun]

Win 98 _is_ a shell. S' jus dos dood. An advanced, heh, window manager in a dos 7 shell. PenGun

Re:Easy solution

Yes. It handles multitasking very well. Oh yes.

Re:Goes to show...

Well, SP2 won't be out til August now, since Microsoft is trying to let Intel catch up to AMD.

Re:Mac's safer if no MS code on them

In my 20+ years of using a Mac and getting only one virus, I can tell you how I did it, I ran as little Microsoft code as humanly possible.

I haven't used a Mac for several years, but between 1989 and 1999, I used them fairly heavily. I saw a single virus in those 10 years. A macro virus in Microsoft Word which I got by opening a word doc from a Windows machine.

In Microsoft's Defense...

[SnprBoB86]

(that subject is a great way to get modded down)

I created a shell link inside Office Word 2003 and when I clicked it I was warned that the hyperlink contained a potentially dangerous target and that I should only proceed if I trusted the source of the document. This warning does not appear for http, https, ftp, or other common "safe" protocols.

I do not have MSN available for testing.

Re:In Microsoft's Defense...

[Justin205]

And how many Windows users actually ever click NO at one of those promts?

Re:In Microsoft's Defense...

[SnprBoB86]

yyeeaaaaa... that seems to be a big problem with prompts.

Prompts for many people become an extension of the action that caused the prompt.

Example:
How many times have you deleted a file through windows explorer only to to go "oh crap" and go get it out of the recycling bin. If you are an average user, you now ask "wtf is the recycling bin", if you are a clumbsy power user.. the answer is "A LOT".

I am still a huge fan of the "power-tool security method" (tm of Brandon Bloom). Basicly, every potentially dangerous action should require a secondary action that indicates you understand the dangers involved with the primary action. You need to hold two buttons in order to turn on a modern table saw. The first button turns on the saw, and the second button turns on the button that turns on the saw.

In the case of deleting files, reversability (having a recycling bin) cures the problem.

But for install-on-demand, shell: links, etc: I want a prompt that has a "OK" button that changes to be "Continue" when you check a box labeled "I understand the potential dangers and wish to continue."

Mozilla Bug 163767

[Sweetshark]

While bug 250180 is pretty new, bug 163767 is ancient (08-2002) and describes the same problem, although being a bit more generic. I wouldnt shout too loud about fast bugfixing in OSS in this particular case. Although the bug is more a bug of Windows broken-by-design handling of URIs it still should have been fixed (or the features needed for the bug to work should have been disabled by default.)

Re:Mozilla Bug 163767

[fireman+sam]

So, perhaps Mozilla should have "bug fixes" for every windows flaw that they uncover? Wouldn't that introduce quite a bit of bloat?

Every application that uses this scheme is vulnerable.

Maybe someone should check to see if IE has this "bug" as well.

Re:Mozilla Bug 163767

[Sweetshark]

Maybe someone should check to see if IE has this "bug" as well.
Thats very probable since this is more a "metabug" in Windows - that might get fixed in SP2.
So, perhaps Mozilla should have "bug fixes" for every windows flaw that they uncover?
No. They should just disable unsecure stuff by default. Thats one of the strong points of Mozilla. They did write code at some point that passes some unfiltered, unchecked data from the web on to some external handler. That action is shouting "security hazard" all the way ....
Wouldn't that introduce quite a bit of bloat?
If you are fighting bloat, Moz shouldnt include this "feature" at all. But if someone writes code for this (rarely useful, but dangerous) feature, you better disable it by default.

Re:Mozilla Bug 163767

Nope, it doesn't. They coded special-cases to avoid their own broken APIs.

I bet there are a whole bunch of these "traps" in Windows. They'd get in trouble if they wrote :

if (Application Name == 'Firefox') open_security_hole();

so instead they write

if (true) open_security_whole();
if (Application Name == 'IE') workaround_security_hole();

That way they don't get caught for singling out competitors.

It's kinda like how they mess with their home page when they detect an opera browser so Opera won't display it correctly.

Re:Mozilla Bug 163767

[fireman+sam]

"They should just disable unsecure stuff by default."

What, disable the Windows builds? But what about all the people wanting to switch from IE?

NB: this was an attempt a humor

Re:Mozilla Bug 163767

[RedWizzard]

Maybe someone should check to see if IE has this "bug" as well.

It does on my system. XP SP1, IE6 SP1. I haven't run windows update in a few weeks, but at the moment typing 'shell:windows\explorer.exe' results in an Explorer window opening without warning.

Re:Mozilla Bug 163767

[Pieroxy]

Why should it warn you? If you want an explorer open, that is one way to get it. Guess what: Windows Explorer is also insecure!!! As soon as I double click on an icon, the program runs without warning!!!

Re:Mozilla Bug 163767

[fireman+sam]

Ah, yes, but I can have a web page that has:

<img src="shell:[path to app with known exploit]">

then have my system execute the exploit for the NOW RUNNING program.

Hmmm, maybe cgi or php, then everything can be automatic.

Re:Mozilla Bug 163767

[Short+Circuit]

...although being a bit more generic.

Interesting. Perhaps, in the future, when people file bugs, they should be specific and list resulting threats?

I'm not all that familiar with Bugzilla, though. Are bugs voted on, or do moderators rate criticality?

Re:Mozilla Bug 163767

[nineinchnatey]

Because you're in the "local" security zone.

Re:Mozilla Bug 163767

[CaptainABAB]

Which is by design - and I'm not being sarcastic. Local web pages have different access rights then ones over the web. Which is why an outisde web page with that URI won't work in IE but typing it into the address bar will. Which explains why IE has zones like "Internet" vs. "Local Intranet", etc. Typing it into the address bar is equivalent to running an exe from the command line. http://www.eweek.com/article2/0,1759,1622074,00.as p "In discussions with representatives of the Mozilla Foundation, they conceded this indeed was a bug and didn't try to foist the blame on to Microsoft. And that's because they know what's usually perfectly obvious: that browsers are supposed to look suspiciously at content and try to protect the user. There's little to be gained by a defense that it's Windows fault, not when you wrote the application to tell Windows to run whatever content comes up."

Re:Mozilla Bug 163767

If memory serves correctly, the Mozilla foundation issued a statement/explanation of why they weren't going to fix the flaw when it was discover roughly two years ago. That explanation basically said that users could disable the vulnerable protocol manually by typing about:config in there address bar, then typing shell in the textbox labeled filter, right click the network.protocol-hander.external.shell, selecting modify, and setting the value to false.

I do agree that it should have been disabled by default. In any complex software there are bound to be oversites.

Re:Mozilla Bug 163767

[Ice_Balrog]

No. Bug 163767 simple warns that should there ever be a Windows exploit with the shell: protocol handler, Mozilla will be vulnerable. At the time there was no such Windows exploit, but even then they made it so that you would have to manually invoke the shell: protocol handler (by clicking a link). When an exploit in Windows was found, Mozilla finally decided to fix it for MS, by completely disabling shell:.

Re:Mozilla Bug 163767

[hunterx11]

Of course everyone will recover entirely by 2038 only to lose it all again!

Re:Mozilla Bug 163767

[TheLink]

Try it. Put the page on the local disk, and put it on an intranet webserver, and put it on an internet webserver.

Go figure.

Compare with Mozilla which just ran the stuff (until the bug was fixed).

Re:Mozilla Bug 163767

[kai.chan]

What I don't get is why the article word the sentences so that it sounds like Microsoft software was just found to be sharing the same vulnerability as Mozilla, when in reality, the exploit stemmed from Microsoft to begin with.

As always, I like how the last paragraph shows Microsoft's dislike for people to post Microsoft security flaws for the world to see.

Re:Mozilla Bug 163767

Nah, it's because they can't keep up with Firebird^H^H^H^HFox's name changes.

Re:Mozilla Bug 163767

[smallguy78]

Hell hath no fury like Mozilla fan scorned

Re:Mozilla Bug 163767

[Myen]

The just found vulnerability is the passing of untrusted URIs (in this case, shell://blah) into the OS.

Hmm, anyone know if there's anyway to actually indicate to the OS that the URI you're passing in is untrusted?

Re:Mozilla Bug 163767

[shaitand]

Mozilla passes it with the appropriate security level, indicated it's unfiltered unchecked data coming from the web. They are doing exactly what they are supposed to.

And the whole reason the browser is passing it is because it's NOT a known uri type (who would expect there to be a shell uri, what kind of idiot comes up with the brilliant idea for a shell uri to begin with?).

This is windows, remember that most uri types aren't documented. Since we are only talking about unknown datatypes, it's a safe bet the browser will never know how to treat them. Which is why it does what it's supposed to do and passes it to the OS clearly labeled as hazardous nuclear waste.

Rarely useful?! At least half the media types you load are able to function due to this feature? (assuming you use Mozilla).

There is a security scheme in place in windows for this type of content for just this purpose. Mozilla handles this the way a windows application is supposed to do it. If the security scheme is broken it's 100% a microsoft issue.

Re:Mozilla Bug 163767

[Lodragandraoidh]

This is a great example of why the opaque Windows API coupled with proprietary software is such a problem - who knows how many undocumented APIs are waiting to be (or already being) exploited?

At least with open source you have the option of fixing the API or the program if that is the problem, instead of waiting and hoping for a corporate entity, who does not have your best interests at heart, to publish a patch.

Thats why...

I use the only software not exploitable in Windows - Notepad!

"Exploit"

[Lord+Bitman]

"This can be done easily with notepad. Click here to open notepad"

You know, some "it's not a bug, it's a feature" things really are features. I dont see how this is worse than while(true) { window.open(document.location); }

Re:"Exploit"

[argent]

The difference is one is a denial of service and the other is a privilege escalation.

DOS is a problem, but worrying about another DOS in Windows is like worrying about sunburn in a firestorm.

Re:"Exploit"

[prockcore]

I dont see how this is worse than while(true) { window.open(document.location); }

Actually, I think mozilla has something in there that prevents this bomb from working.

However, one that drives me nuts is while (true) { print() }

Re:"Exploit"

[HermanAB]

Hmm, I already posted one shell: exploit that causes a PC to crash. I'm sure there are others. This is very much a real problem.

Re:Goes to show...

That said, Open Source isn't pixie dust

Then why does it make me so fucking high???

I confess!

[MisanthropicProgram]

I know to the second when a patch comes out for Windows! Really! But I don't apply it! Why, you ask. Because, I'm still stuck in adolescence and I want to be a rebel! That's right. I want to run my machine with no patches - hackers be damned! Who are you people to tell me to patch my machine? Ha! I take chances - what's the saying, "You don't wear a raincoat in the shower." or something like that. You know what I mean.

Later on.. our Windows user gets an unstable system and funny looking things on his dick.

Re:I confess!

OMG. Please tell me that you really *are* that screwed up. If you are, then you are my new hero.

Re:I confess!

[DAldredge]

I miss Ogg and the NPNAP trolls. They where at least original.

Re:I confess!

hahahahaha silly! you meant to say disk!

Re:Mac's safer if no MS code on them

I've been using MS products almost exclusively for 20+ years and have never gotten a virus either. It's insanely easy to prevent if you give it even 10 seconds of thought and config. Something I admit 99% of computer users are not willing to do...

What other programs are vulnerable?

[jesser]

I'm the one who posted this message to Full Disclosure. I was too lazy to test all popular e-mail clients, IM clients, word processors, etc. that run on Windows, so I posted after finding only two vulnerable programs. Who wants to help?

All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.

Re:What other programs are vulnerable?

[danharan]

Not to start a flamewar or anything, but I'm curious: did you contact MS before publicizing this? If not, why?

Re:What other programs are vulnerable?

[jc42]

Well, considering that a number of Microsoft people had already gone public with the "It's not our problem; it's Mozilla's problem", I'd think that the obvious answer is that Microsoft's management was already very much aware of the problem. Pointing out that MS products have the same vulnerability is an obvious (if somewhat in-your-face) way to shoot down their FUD.

And, let's face it, they were using this as an opportunity to squelch the recent rash of switches from IE to Mozilla. They deserve to be hit fast and hard for such tactics.

(Not that the Mozilla people are totally innocent here. Even if you agree that it's a Windows bug, it's clear now that Mozilla could very easily catch it and pop up a warning window. That would have taken less time than was apparently spent discussing the issue and deciding to not deal with it right away.)

Re:What other programs are vulnerable?

[jesser]

I did not contact Microsoft before posting on Full Disclosure. I thought posting to Full Disclosure would encourage Microsoft to fix the hole in Windows rather than forcing every software vendor to work around it using a whitelist or blacklist. Maybe I was wrong about that. I felt that all software vendors should be given an equal chance to fix the hole if they want to be safe running on unpatched versions of Windows. I was frustrated that Mozilla looked bad because of a Windows hole that affected a large number fof programs.

I got an IM from someone at Microsoft thanking me for the post on Full Disclosure. Microsoft earned a little respect from me today.

Re:What other programs are vulnerable?

[YU+Nicks+NE+Way]

I'm glad you posted the note. As several people on Full Disclosure pointed out to you, you misunderstood the original vulnerability: the Microsoft products you cite raise a warning dialog when you traverse the link by hand. In neither case does the link "self execute" -- you need to ation on it to cause the problem. The Mozilla bug is that including such a link in a META tag can cause the shell code to be executed immediately, without any user intervention, and without giving a warning.

Users are allowed to do stupid things. They're not supposed to be exposed to situations where stupid things can happen when they didn't do anything stupid themselves. Chasing a link that raises an error box, and then clicking "OK" -- that's stupid and dengerous. Opening a safe web page is supposed to be safe.

Re:What other programs are vulnerable?

[jesser]

As several people on Full Disclosure pointed out to you, you misunderstood the original vulnerability: the Microsoft products you cite raise a warning dialog when you traverse the link by hand.

(I didn't see anyone say that on Full Disclosure.)

You're wrong. Neither of the programs I tested raised a warning dialog. A newer version of Word does, though, as pointed out by several Slashdotters.

In neither case does the link "self execute" -- you need to ation on it to cause the problem.

The only action required in both programs is activating a link. Activating a link is supposed to be safe.

Chasing a link that raises an error box, and then clicking "OK" -- that's stupid and dengerous.

Depending on the wording of the warning dialog, it might not be stupid.

If the warning is 100% jargon, as in "This link uses the shell: protocol. Do you want to proceed?", only someone very geeky or very paranoid would click Cancel. I think AIM or Gaim or Trillian has a dialog like this.

If the warning says "Hyperlinks can be harmful to your computer and data. Do you want to continue?", many users will think "Huh? Hyperlinks have to be safe; I click them in web pages all the time." and click OK. Word 2003 has a dialog like this and doesn't show it for "safe" protocols.

Re:What other programs are vulnerable?

[YU+Nicks+NE+Way]

Word 2k, patched, shows the "Hyperlinks can be harmful" dialog, just like Word 2002 and Word 2004 do. (See here.) MSN Messenger shows an even more aggressive dialog about worms and viruses. (See here.)

Re:Goes to show...

[Frizzle+Fry]

Oh good, I'll go and download SP2 then

Good. Go download it. Or don't. But at least don't be a hypocrite like half the people here and say that sp2 "doesn't count" until it reaches final release form, while firefox "counts" even though it's also in pre-release form (not even at 1.0 yet). Sort of like when people claim that IE on xp doesn't have popup blocking but firefox does.

xp sp2

[wolfywolfy]

seriously though, you can download it via windows update v5.

http://v5.windowsupdate.microsoft.com/

URI!?

[DonniKatz]

As the University of Rhode Island (URI) University College Representative in the Student Senate, I can assure you that no student at the University of Rhode Island is exploiting Microsoft Word... we're only pirating it.....

Me Shell

Ma Bell

Re:Me Shell

[CowboyBob500]

Ma Bell

Lol, this should be reported to one of those misheard lyrics sites. The correct lyrics for anyone interested are "my belle".

Bob

What's new?

Microsoft... vulnerable? Ya think?

Mozilla flaw?

[ScriptGuru]

The Article's title is: Microsoft products also vulnerable to Mozilla flaw That is gross misinfomation, it should be something along the lines of "Microsoft products allow exploit of OS flaw, similar to Mozilla." The flaw itself is in the Windows operating system. It exposes access to shell functions that applications need to blacklist. Application developers shouldn't need to be concerned with "Oh, I need to stop that protocol for security." It should be the protocol developer's responsibility to say "Is this safe?"

Re:Mozilla flaw?

[spitzak]

Hardly. Windows is providing a service. The fact that a program can delete any file by name does not mean a program that accepts an arbitrary name from a web site and deletes the file is not to blame for the error.

About the worst they can be accused of is that they provided an obvious text version of the service and thus tempted programmers to pass raw text unchanged that it got from untrusted sources. However this sort of security error exists in lots of software, on Linux as well as Windows (typical examples are in cross-site scripting).

Re:Mozilla flaw?

""We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed," the company said in an e-mail statement."

This statement alone just cracks me up. It's as if to say No one knows about a vuln unless it's publically disclosed. Which is BS. Sure enmass might not - but that just means they won't know they have to patch or are potentially open to attack before patching.

This is security thru obstupidity. Basically gives M$ a chance to modify notification dates etc so they can come out looking good. Lies lies MS your full of lies and always will be. Boy that cried wolf got a worse rap than M$ has..

Re:Mozilla flaw?

[ScriptGuru]

Come now. What if I were to write a service called "delete:///" for the sole purpose of deleting files? The standard for Windows applications, IE and Moz included, is to say "Can I open this? I can't? Okay, who here can? ... Okay, go for it!" So, if someone notices that there's a population of machines with "delete:///" on them and uses it to slate a bunch of computers, whose fault is it, mine or Mozilla's?

Of course, they could whitelist, say "Okay, only telnet:, ssh:, and aim: can go through." But this really isn't viable because it breaks the principle of things just working because future additions won't work.

The simple truth of it is, without adding layers to the system, like a shell: blocker, is to be accountable when programming a protocol.

Re:Mozilla flaw?

[TiggsPanther]

It seems to be a bit of both. MS should have closed this hole ages ago, on the other hand Mozilla might not have had the best idea just passing any unknown protocol onto the OS.
Having said that, within a day or so of the seriouness of the vulnerability being published there was a patch and a new version of mozilla, Firefox and Thunderbird all out.

One thing about the whole Mozilla thing, though, is that MS will find it very hard to turn this one to their advantage.
"See. Even Mozilla and Firefox aren't secure. They had an exploitable vulnerability! What was it? Oh, it passed unkown protocols for the Operating System to handle.... oh."
A competitor's product having a hole that exploits a problem in one of your own products might not be a good selling point in your favour.

I do wonder how fast MS will patch this vulnerability in its own apps. And in the non-free ones how will they go around providing the update?

Tiggs

Re:Mozilla flaw?

[makomk]

Of course, they could whitelist, say "Okay, only telnet:, ssh:, and aim: can go through." But this really isn't viable because it breaks the principle of things just working because future additions won't work.

I think, for Mozilla, a tristate method would be best: have a whitelist (URIs that are known to be OK), a bliacklist (URIs that are always blocked), and pop up a warning for everything else. Better still would be a global, Windows-wide whitelist that URI handlers can add themselves to and which all programs followed.

[WARNING: excessive wishful thinking detected]

Without regression testing...

Assuming open source advocates fix bugs immediately upon hearing about them, then how much regression testing is actually done? None. With open source the hole is plugged (good), but the fallout from the problems the fix may cause are never addressed by the advocates until later. Up to this point Linux (open source) really has no large installed base. Lets see how long it takes before those quick patches do more harm than good.

Re:Without regression testing...

[Clover_Kicker]

Anyone who rolls out patches without testing in their own enviroment deserves whatever they get.

Patches for *any* software can cause problems, regardless of license.

Fixed in Word 2003

[AzrealAO]

Microsoft Word 2003 w/Latest Updates.

Insert > Hyperlink
shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)

Critical Error Dialog pops up

Opening "shell:explorer.exe"

Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources. Do you want to continue?
Yes | No

Pressed Yes and nothing to happened.

Re:Fixed in Word 2003

[jesser]

shell:explorer.exe (path should be unneccessary, tried shell:windows\explorer.exe as well)

For me, shell:windows\explorer.exe works in Start - Run, but shell:explorer.exe does not.

Hyperlinks can be harmful to your computer and data.

Umm.

Does it give the same warning for http hyperlinks?

Misleading title - "...Mozilla flaw"

[Slashcrunch]

The title is quite misleading on first glance.

"Microsoft products also vulnerable to Mozilla flaw"

If it was a Mozilla flaw to start with, my linux boxes would be vulnerable. I know its picky, but the title is not accurate IMHO as Mozilla is being used to take advantage of a Windows feature, rather than the flaw itself existing in Mozilla.

Re:Misleading title - "...Mozilla flaw"

[tonyr60]

How about this one...
http://secunia.com/advisories/12043/

It starts out as a "Sun Java Predictable File Location Weakness"

Then, further down in the advisory....

A PoC (Proof of Concept) exploit has been published, which:

1) Uses the weakness in Sun Java to create a temporary file.

2) Exploits a file enumeration vulnerability to find the name of the temporary file (100,000 possible combinations).
SA10820

3) Exploits a Cross-Zone vulnerability and uses the inherently insecure Windows "shell:" functionality:
SA11793

Solution:
Use another browser than Microsoft Internet Explorer.

Alternatively disable Active Scripting in Internet Explorer.

If you do not use Internet Explorer, this issue is not considered a security problem.

Re:Misleading title - "...Mozilla flaw"

You obviously don't understand FUD.

Since it was first discovered in Mozilla, it is obviously a Mozilla bug, no matter how stupid Microsoft was implementing this feature!

C'mon, people, this was obviously another one of those features that users demanded and Microsoft is blameless!

Re:Misleading title - "...Mozilla flaw"

[Slashcrunch]

Oh, but I do understand FUD. And I think my comment points it out quite nicely.

Rare that I'm going to bother replying to an AC.

Re:Goes to show...

[Frizzle+Fry]

However, you CAN type a filename in and have it open in its associated application. If that filename is too long, you can exploit a buffer overflow in the helper application. There happens to be a plentitude of client applications on a standard XP box with buffer overflow possibilities. Once you're there, go anywhere you want with the privileges of the user on the XP box

I can type in a filename to get the same priviledges as the user (meaning myself)? How is this an exploit? The shell: problem was that it could be exploited via a link to a uri. I don't see how something that has to be typed in to the address bar is much of a vulnerability. If you can convince someone to run the arbitrary program with the buffer overrun, you've already won since you've convinced them to run an arbitrary program for you.

Run as a separate user!

[qseep]

It seems logical that the solution to many of these browser exploits is to run the browser with a separate set of OS permissions, i.e. as a separate user. This could be done using setuid under Unix. I don't know how it's accomplished on Windows.

The special user would have greatly reduced permissions, which would prevent these exploits from being useful. This user could not execute anything but designated plugins, and could not save files except to a designated area.

Why has this not been tried?

Re:Run as a separate user!

[Demanche]

In windows you would just change the run as permission after creating a special user for this purpose, or maybe run it as Guest? I don't know what that problems would cause thou so be nice! :)

Re:Run as a separate user!

[Roguelazer]

Most users (myself included) wouldn't want to have to save everything to a world-readable directory and either move it from there (annoying) or leave it there (insecure). However, maybe if the browser ran as a different user and the download manager ran as the original user. Hmm. They'd have to be child processes of some controlling process under the original user. Could be fun. ;)

Re:Run as a separate user!

Ever heard of groups?

man group

Re:Run as a separate user!

Windows has developed this sense of limited permissions. Although I must say it is not as nice as Unix.

Limited Access Accounts cannot modify system files or the registry. If you must run a windows machine, it is a good idea to run as a Limited Account rather than Administrator for this reason.

Then only your personal settings/files will be destroyed, and no new programs will be installed without your knowledge.
Therefore, your machine will only become comprimised after someone logged in as Administator executes malicious code.

Re:Run as a separate user!

[man_ls]

RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/smartcard [/user:<UserName>] program

/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/profile specifies that the user's profile should be loaded.
This is the default.
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote
access only.
/savecred to use credentials previously saved by the user.
This option is not available on Windows XP Home Edition
and will be ignored.
/smartcard use if the credentials are to be supplied from a
smartcard.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples

Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with /netonly.
NOTE: /profile is not compatible with /netonly.

You can make a shortcut to runas (iexplore) and run IE as a limited user if you were so inclined...It's basically the same as setuid.

Re:Run as a separate user!

Well its almost the same, except for the fact that the user needs the password to run the program where as a setuid program on Unix will always run as that user.

Lets just expose the ports for teh user...

[3seas]

someone needs to come up with a program that shows end users the communications going between there system and the internet..... and call it flypaper. and have reflist files like for virus programs and spyware programs....and call them "stucky stuff"
Ie, Flypaper version 1.1 and stickystuff 3.7
but the stickystuff ref files not only catch bad stuff but fucks around with it...
so as to demotivate abusers of ports
spiderweb woudl make for a good name of such but to many spider and web word uses already

Re:Goes to show...

[Roguelazer]

All it does for me is pop up an internet explorer window. It's really weird, because the IE window is open to the "Log in to MSN" page, with the E-Mail address in the login form set to blank. Not the usual "", just blank.

Even more reason....

[Demanche]

To try out open source browsers like Firefox and Mozilla....

Maybe its about time for some people to concider some alternate producivity suites - not just openoffice - even some suites like Corel have some intriguing software that lacks the user base of microsoft.

Rant>./rant

On a sidenote.. Corel lost a big share of its market to MS Office around the same time Netscape was crushed by IE. I remember my highschool used Corel at the time. Netscape was very smart to start the Mozilla Foundation insead of trying to beat MS, they are letting their supporters promote for them, gaining them some brand awareness if nothing else. Perhaps It wouldn't be so strange if Corel was to support a open source initiative, or merge with OpenOffice. The next best thing since frozen coffee for the computer geeks would be firefox and corel. Corel could sure use some geek to geek praising around now ;)

For those of you not very firmiliar with Corel, at one point they were doing fairly well, then they kinda fell thru - had to lay off alot of people and are now trying to get back into the market.. but I personally think they face the same fate as Netscape.
In the real world, If you loose a customer, it takes twice as long to get that customer to come back to your business, and that customer is a big factor keeping other possible business from you, as they will tell at least 10 people of their experiance.
Based on this, even old Corel users would be hesitant or unwilling to switch back to Corel -so Corel needs a new movement. Open source anyone ;)

Dying Proprietary Software + Open Source = Improved Code + Brand Awareness + "PROFIT" (Donations, Memberships? Support? and Smart Usage Of Your Brand Recognition)

With so many software companies expected to bust with news of the markets this week, I wouldn't be surprised to see a few new related open source projects pop up.

Rant> logout

Re:Even more reason....

[mboos]

Corel did hava a Linux distro a while back as I recall. But that's long gone...

Re:Even more reason....

[Demanche]

Yea they have done a distro and a pc clone? with their linux if I remember corectly. But their strong point is their prouctivity suite, and they are holding onto it like a captin on a sinking ship

Re:Even more reason....

[DMUTPeregrine]

One word: Painter. There is no better digital art program to use in conjunction with Photoshop.

Re:Even more reason....

[akorvemaker]

Corel did hava a Linux distro a while back as I recall. But that's long gone...

They're also working on a new version, at least to see if it's a feasible option (i.e. if there's a market for it).

Original...

[MisanthropicProgram]

Oh, man! I tried so hard! Look at my ID #. I'm not an old timer like you - four digit slashdot id?!? Did you stock when /. was sold to VA?

Same here(Word 2003), and clicking yes ...

[AzrealAO]

causes nothing at all to happen.

I tried shell:windows\explorer.exe and shell:explorer.exe

Nothing happens.

Re:Same here(Word 2003), and clicking yes ...

[Shin+Chan]

In MSN Messenger typing shell:\windows\system32\calc.exe prompted me to download my own calculator, with all the latest patches in place.

Re:Same here(Word 2003), and clicking yes ...

[Shin+Chan]

As I can seem to edit my post: http://www.bot2k3.com/shell.gif

Percentages Please

What percentage of *nix users patch vs. MS users? And if *nix attains parity with an MS OS, what percentage of grandmas will patch? What you are calling "Microsoft users" could well be *nix users in a few years. You are confusing an OS with user eductaion.

Re:Goes to show...

Okay, I'll bite. Some of us have a standard of stability and completeness, totally independent of version numbers. Was Internet Explorer 1.0 a happy, complete, stable application? Is Firefox 0.9.1? I think you're fooling yourself if you think version numbers provide any sort of yardstick of the readiness-to-use of an application. I personally won't use ANY Microsoft product in a production (read: at work) environment until it has at least TWO service packs. Windows, Office, SQL, SMS, doesn't matter. Microsoft's standard is "it's 1.0 when we need to release it. it's sp2 when it's ready for prime time". Not all companies are the same way. Corel has yet to release a product ready for prime time, and WordPerfect's up to 12 or so. Cisco, when motivated, can get things done right in the first release. Open Source projects all have their own standards. Firefox 0.9.1 is much more mature and ready for prime-time than the latest PR or SP2. The Xine maintainers, who must all be insane,
have a project that's been stable for years and it hasn't hit 1.0 yet. If Firefox suddenly released 2.0 would it sudenly be more mature? How about 3.0? What's the magic happy number? THERE IS NONE. You have to gauge each vendor, and each application, by a consistent set of rules and just forget what version number the marketing people decided it should have.

E-Mail Viruses Made Simple

[Roguelazer]

This works in Outlook XP and OE 6. So who's up for a nice chain letter?

Re:E-Mail Viruses Made Simple

[jellomizer]

Well that is the problem with Microsoft, back in the late 90s they spent a lot of effort in making all their products integrated in the OS and making every tools as functional as its own programming language. Now back then most people on slashdot were saying how horrible this is but it still happened with the PHB choosing MS products because it has the most features over the competitor because the competitors wouldn't dare to do something that stupid. Now after the Tech economy has been humbled, and a lot of people around the work hating anything american combined with other disgruntle ex-employees and just the script kiddies who think they are 1337. So all this time and money Microsoft and other companies put into training these people how to use these tools. Now Microsoft is being forced to remove all their features to make there stuff secure. Now a lot of OS projects who have been doing things the secure way because getting market share isn't as important. is getting some attention as good alternative because all the feature that MS had the advantage are being removed so all the products are getting more of a level playing feel.

Oh yea?

Well according to ____ Journal that stupid fix broke XX applications because it wasn't regression tested. The patch developers are now scratching their heads trying to find what their nice patch broke.

Re:Goes to show...

There's a difference between programs and protocols. Applications should trust any protocol you hand to them that they support. They should not just launch applications. This is a basic security fuck-up, and it really isn't relevant if you understand how it works, as long as it's fixed. Soon.

Huh?

What gives? Open source is saving Microsoft!

Mozilla guys patched their Windows versions to protect Windows users. Which M$ has not been able to do yet with its products.

Do you expect Mozilla ppl to fix Word?

Sorry if I'm being dumb here, but I couldn't figure your post out.

Re:Huh?

[POds]

Yes, i have a waked sense of humor. It was ment to be funny, implying opensource will defeat the Windows monopoly by infecting it with corrupted software. When i wrote it, i was thinking viruses, but mozilla is not a virus. It's also by no means corrupted software either, but i was just trying to make a funny :/ I think one person got it :/

It's never funny when you have to explain your jokes

Price is Right Rules

[funkdid]

How about we have a /. pool, with Price is Right Rules.

Here'show it works:

You predict the next security flaw,exploit etc etc etc and what product it will hit. Apache buffer overflow (smart money says don't pick that one), Word vulernability etc. This could be cool.

Dibs on Wednesday IE exploit.

Re:Price is Right Rules

[srenker]

with Price is Right Rules

"One dollar!"

Re:Price is Right Rules

1) Discover security flaw
2) Bet on it being discovered before you reveal it
3) Profit!

Re:Price is Right Rules

Looks like you won!

Re:Goes to show...

[Coryoth]

The Xine maintainers, who must all be insane,
have a project that's been stable for years and it hasn't hit 1.0 yet.

It's worth noting that, technically, Emacs hasn't gone 1.0 yet either. The version is really 0.21 - it's just that they've been in the minor version numbers for so long now nobody refers to it that way anymore. Is Emacs incomplete? Lacking functionality perhaps? Apparently yes.

Jedidiah.

MS's Broken Update Model

[MooseByte]

"Microsoft users have shown time and time again is even when the patch does come out, it's often not applied on many machines."

A sobering testament to their broken model of supplying patches across the Win 95/98/2000/XP family of products, not to mention the fear of many users and institutions to install patches due to stability concerns.

All of which falls squarely on the shoulders of MS. Build trust, provide security and stability. How would the public rate MS on those three counts?

Re:MS's Broken Update Model

[jesser]

Fixes for Firefox security holes usually don't get into the hands of users until the next release :(

Re:MS's Broken Update Model

[cbiltcliffe]

Don't you mean:

Firefox fixes for Windows security holes don't get into the hands of users until they click the link for the .xpi update package on http://www.mozilla.org/security/shell.html.

Besides...when the next release is out one day after the flaw is discovered (I know, the general situation was known a year or so ago, but it wasn't realized that it was a security problem that MS wasn't going to fix until the day before the patch came out...) what the heck difference does it make that you've got to wait for the next release?

Re:MS's Broken Update Model

[jesser]

I said "usually". We did great with the shell: hole, but we had to because we found out about the hole at about the same time the hole was posted publicly on Full Disclosure. Most security fixes for bugs found by Mozilla community members do not result in security-fix releases (e.g. 0.9.2); the fixes are just checked into CVS and included in the next release (e.g. 0.8, 0.9, 1.0).

Re:Goes to show...

[Flower]

You damn well bet it doesn't count here at work. My patching an application is entirely different than upgrading the OS with a beta service pack. I would have to go through all our departments, make sure I tweak the upgrade so it doesn't break any of the services that make us money and then go through the whole deal again once the official release is out.

There is a big difference between the degree of risk I take with upgrading Firefox and the major overhaul that SP2 is going to turn out being. Sorry but this hypocrite isn't buying your assertion.

Re:Mac's safer if no MS code on them

>In my 20+ years of using a Mac and getting only one virus

You also only have one mouse button, so I wouldn't be too proud.

Re:Goes to show...

[TrancePhreak]

Firefox is mostly stable and highly prone to memory leaks. So no, it's not ready for prime time. How are people using Windows 98 and such supposed to use it? You people advocate it all over the place but forget that it still has flaws and that's why it's not at 1.0

Re:Goes to show...

[molarmass192]

First, it's not a Mozilla exploit, it's a Windows exploit. Second, this "exploit", being a Windows exploit, never existed on Linux. So yeah it's a pretty specious claim, mainly because it never existed "in the open source world" so there was never a need to for it to be "patched in the open source world", only in a mixed open and proprietary world. Fuck, now I'm off on a tangent, back to the point, it was a Windows exploit, not a Mozilla exploit.

Re:Goes to show...

[BoldAndBusted]

Um, well, the difference here, my friend, is that one is an upgrade for an application (Mozilla Firefox), and the other is an upgrade for an entire operating system (Windows XP). One risks the ability to browse , the other risks the ability to boot .

Prudent people might be willing to risk blowing up their pre-release browser for functionality and security, while not be willing to risk blowing up their entire OS with a pre-release patch just to get their browser updated...

That was the Mac problem

[spitzak]

If I understood it right, what you are describing is the Mac bug in Safari.

But on Windows I don't believe there is some way for the malicious site to "install" a program unless it actually runs some software. If they can get to that point they might as well do the malicious stuff right then rather than rely on this shell: step.

So I agree with the initial poster that this does not sound as dangerous. In fact the Mac bug was pretty much ignored even though it could run arbitrary programs, but could not pass arguments to them. It required some searching to find programs that would do nasty things without arguments.

The Mozilla page describes some of the nasty things that could be done with shell:, but they mostly amounted to crashing or rebooting your machine, I think.

Re:That was the Mac problem

[Platinum+Dragon]

But on Windows I don't believe there is some way for the malicious site to "install" a program unless it actually runs some software.

All it has to do is get the .exe on the hard drive, and I ran across some nasty, recalcirant spyware that managed to slip on to some computers without user interaction while cleaning up machines at my old workplace. There are a couple dialer-type programs that seem to infect a computer in this fashion, usually found on the less reputable pr0n sites.

Re:Mac's safer if no MS code on them

I've always run Microsoft software. I've never had one of my systems or a system that I manage get infected by virus. Never once. It's called Antivirus software. If you keep your definitions up to date and combine it with a solid, properly configured firewall and keep your systems patched then your not going to have many problems. If Mac's had 50% of the market share that Windows had you would have seen a lot more viruses for Mac's over the years. If tomorrow Mac's suddenly had the market share that Windows has, you can bet your ass you would have seen a fair number of viruses, worms, exploits, etc.

integration kills

[Doc+Ruby]

These bugs are totally irresponsible. Microsoft is the worst offender, as their OS/app integration cuts both ways. But the only solution is IPC security with a simple UI for the masses. That needs OS hooks, and is one of the few truly essential features needed in a modern desktop OS. M$ is obviously going in the other way, and Apple isn't feeling the heat enough to do it. But open, network-native Linux is the perfect candidate for this feature innovation, especially as it is going through revisions to basic relevant features as its scheduler. Where's my process login kernel patch?

Re:Goes to show...

[Frizzle+Fry]

First, it's not a Mozilla exploit, it's a Windows exploit.

No, it's a Mozilla exploit. Mozilla was passing unverified user input to the shell (to Windows) and effectively telling Windows "I want you to run this program". Windows would then run the program. The bug here is that Mozilla should not be giving untrusted input to the operating system. The bug is not the fact that it is possible to pass something to the OS in that way, it's that Mozilla was not validating what input it was passing. Not blindly trusting user input is one of the first prinicpals of writing secure code, and Mozilla neglected that pricipal while IE didn't (but apparently MSN and Word did). It was probably a good idea to remove this from the OS (as was apparently done in xp sp2) since it was being abused, but it was not a "bug" in Windows. There was also a pretty short article in eweek about the topic which you might find interesting.

I can see the next /. story now...

[twalls]

"A new security report today reveals that all computers are vulnerable to the latest of a series of never-ending security exploits. This latest flaw, which manufacturers are unwilling to disclose the details of at this time, has been proven to exist on all platforms and affects all operating systems. Manufacturers are currently working together to find a solution. Until then, security experts are recommending that users unplug their machines from any cables that connect to the walls. Critics suggest that even this solution has flaws as some are using wireless technologies to circumvent the wires. Industry analysts suggest that the latest exploit is linked to other reports on 'user stupidity' and 'God's wrath on civilization as we know it.'"

Re:I can see the next /. story now...

A new security report today reveals that all computers are vulnerable to the latest of a series of never-ending security exploits.

You dropped a word:
A new security report today reveals that all Windows computers are vulnerable to the latest of a series of never-ending security exploits.

MOD PARENT UP!

Exactly. Applications have to trust the OS they run on you know. If they don't, the application itself might as well be a whole OS.. jesus christ.

Re:MOD PARENT UP!

Are you implying Emacs?

No, it's just stupid

[gr8_phk]

"but it is a rather useful feature to have if somebody wants to tell everybody on a company network how to run a program that was just installed."

Ya, tell them to start the new program by opening a URL in IE then click on the "start new program" link. Ya, it's great for explaining that. There is NO need for any program to run another program based on the content of data (web pages).

Re:Goes to show...

For you information, SP2 beta can be only installed on ENGLISH (or german) version of Windows XP (pro). I am running finnish languaged Home edition and haven't been able to test SP2 because of that.

Issues with 98

The problem is that 98 doesn't properly deal with the kind of RAM a lot of us need. Even a gig will toast an old 98 installation, but if you use the patch to allow that much RAM the caching schemes and everything don't work well at all.

Re:Goes to show...

[Frizzle+Fry]

That's fair, although it's not true that it's only available for English. The wegpage says "It is currently available in English and German. Note that this version requires an existing installation of Windows XP. For information regarding the Japanese version of SP2, please go to the Japan TechNet site.". I followed the link to the Japanese site, but don't know what's going on there because, surprisingly, it's in Japanese. But it sounds like it probably has sp2 for download, so that's three languages, although you're right that finnish isn't one of them.

Re:Goes to show...

[FuzzyBad-Mofo]

Highly prone to memory leaks? I can run Firefox all day long on my Win2k or Fedora 2 boxes at home, or my XP box at work, with nary a problem. If you're going to make assertations like that, you'd best be prepared to back it up with a link, at least.

Re:Goes to show...

From his post:

Goes to show what gets patched in the open source world gets exploited further in the proprietary world.

From your post:

Which would make your claim that these sorts of things are only fixed "in the open source world" seem pretty specious.

How about reading what he says before trying to reply? At no point did anybody claim that open-source is the only way of fixing this issue.

I'm a little late to this party but...

[coyote4til7]

Does anybody else see the possibility of a 2-bug attack:
* first bug rewrites a program's config file to cause mailicious initial actions
* shell uri bug causes said program to run
Or:
* first bug writes .exe
* shell uri bug causes said program to run
Or:
weeeeeeee!

Steps
1) Write bugs
2) Negotiate with Pr0n fnords
3) Deploy bugs
4) Pr0f1t!

Me glad me not part of collective at moments like these...

A NEW BUG!!!

[Pieroxy]

Guess what: I discovered a new exploit in Windows. Just double click on a program and it will be executed without any warning!!!. This is truly appalling and I am considering alternate OSes right now. I hope they don't have this 'security breach'.

No, I mean, if Mozilla asks Windows to execute a file, why is Windows responsible exactly? Responsible for executing it?

Re:A NEW BUG!!!

[fireman+sam]

No, mozilla / IE / MSN / Word are NOT asking the Windows to "execute this program" they are asking Windows to "handle this URI I don't know what to do with"

Re:A NEW BUG!!!

Funny how Mozilla's at fault for passing the URI to Windows, since Windows is clearly blindly executing whatever is passed, so therefore it's Mozilla's fault. Funny that when that same thing is done under a real OS it doesn't get blindly executed.

Yes, I agree, clearly, Mozilla is at fault for not following the Lowest Common Denominator. If we dumb the entire world down to the point that mentally impared people are never made to feel like they're stupid, that's truely a grand world indeed. Given this, I'm sure people with higher IQs won't mind being treated like 5 year olds!

Re:A NEW BUG!!!

News flash: posting it twice doesn't make it any less asinine.

Get over yourself.

Re:Goes to show...

[Tony-A]

But at least don't be a hypocrite like half the people here and say that sp2 "doesn't count" until it reaches final release form, while firefox "counts" even though it's also in pre-release form

Well, when Microsoft can do the equivalent of:
Run old version.
Install new version.
Run new version.
Decide you don't like it and reinstall old version.

It's not a level playing field. Half-baked open source "counts" whereas Microsoft's "almost" doesn't. Works like the beta of alpha-beta statistical errors.

Re:Goes to show...

[vk2]

Is this like dubby blaming the CIA for bad intelligence ? So what the CIA gave bad intelligence don't you have the brains to at least heed to what the whole world is complaining about ? Its the same thing over here - if mozilla says blue screen yourself MS OS shouldn't do so just because an application is asking it.

Re:LINUX HYPOCRITES

If the Mozilla problem wasn't really a problem, then it can not be called a problem for these MS products for exactly the same reason.

The Mozilla problem was a problem.. and it was caused in large part by Microsoft's catch-all handlers. And all the people who were saying that is was all Mozilla's fault because IE had been modified to prevent it are beeing shown how wrong they are now.

problem with anything Linux, blame MS.

Linux was never effected by any of this, it only happens on Windows. Why are you talking about Linux?

am I just reading this wrong?

yeah, you're using understanding, instead of panicking.

Another Word vulnerability?

[BCW2]

Word has been vulnerable to some form of attack since it was created. Why is anyone surprised?

Re:Another Word vulnerability?

[BCW2]

The post above was Redundant?

Any story about any security flaw in any M$ software is Redundant.

'Run' has this flaw too!

[Finuvir]

If you open the run dialog and type shell:windows\notepad.exe it opens it. That means Run has this flaw too!

Re:LINUX HYPOCRITES

There you go in denial again you linux loving bastard.

Yes, the Mozilla problem was a problem, because it was sending commands to Windows that are potentially high risk.

Did windows ask Mozilla to send these commands? NO.

So the Mozilla problem was not the fault of windows.... but do go on. keep blaming others for your own mistakes.

Re:Goes to show...

emacs will hit version 1.0 when it can shake the programmer's hand, look him in the eye and say "I'm ready."

Shell - it's USEFUL in Word

[Tsu+Dho+Nimh]

Considering that Word's macros might need to launch another app, by means of the Shell command, it's a feature, not a bug. I've used it frequently in macros. It became a vulnerability when Word was made "Internet aware" and started logging onto the net at every opportunity.

Re:Shell - it's USEFUL in Word

[Tsu+Dho+Nimh]

Replying to my own post: ANY of the MS Office programs could have this vulnerability ... Even PowerPoint.

Re:Shell - it's USEFUL in Word

and isn't this just the fsckin' problem? Microsoft moved all of their "features" to the Web without any thought to how they could be abused!

Morons!

Re:Shell - it's USEFUL in Word

[pe1chl]

It may be a feature, but it is not a well thought-out feature.
You may have had some application for it, probably to work around some limitation elsewhere in the program, but in general it is not a good idea to have all these macrocapabilities in a wordprocessor program, as it will mean that documents you receive from outside can no longer be considered safe until they are fully audited.

No! No! No!

Thursday is Microsoft vulnerability day!

Re:Goes to show...

[AstroDrabb]

Does this really work on xp sp2?

Well I have SP2 on a box near me so I gave it a shot. Using Firefox 0.9.2 and entering "shell:windows\explorer.exe" in to the URL bar did nothing. Opening up IE and doing the same caused explorer.exe to open. It doesn't look good. Maybe they will fix it in the final version of SP2? Though I personally don't care since most my time in in Linux. Let the layman suffer : )

Re:Goes to show...

[Frizzle+Fry]

Its the same thing over here - if mozilla says blue screen yourself MS OS shouldn't do so just because an application is asking it.

But that's not what Mozilla is saying. Mozilla is saying "I wantt to invoke the following application". When one program tells the operating system that it wants to start another program, the operating system isn't really expected to say "Wait. Are you sure? Are you asking me to invoke this application because of untrusted user input? Maybe I shouldn't start the process you asked me to, just in case you're wrong and don't really want me to start it."

Re:You fucking faggot.

[a+whoabot]

Go buy a Rage Against the Machine shirt with a Che Guevara relief from the mall. Che would be proud, I'm sure.

Re:Goes to show...

[cbiltcliffe]

Firefox is mostly stable and highly prone to memory leaks.

Let's see...I'm running Firefox 0.8 on my Debian testing/unstable box, and I can keep it running for a week or two at a time, at least. Usually the only reason it gets shut down is because I've upgraded gtklib, or something to do with X, or whatever, and have to restart X to load the new library files. (Debian testing updates several packages every day...)
I've never seen Firefox start using massive amounts of memory which would indicate a memory leak. This is also on a 466MHz Celeron with 256MB RAM. Not exactly a power box.

Re:Goes to show...

[GarfBond]

I'm not so sure that sp2 is actually going to fix it. Running XPSP2 RC2 here, and 3 out of 4 demonstrations on 0.9.1 unpatched (found here) actually work (didn't run the 4th, not going to crash my system just yet).

It was my understanding that SP2 fixed this so that it didn't work on Firefox before the patch. Unless I heard wrong, this is not the case with RC2. Final bits are in August obviously.

Re:Goes to show...

[brunes69]

There happens to be a plentitude of client applications on a standard XP box with buffer overflow possibilities. Once you're there, go anywhere you want with the privileges of the user on the XP box (which is usually admin, and if not, you can usually get admin without a lot of effort).

This is even further mitigated in MSN, since an MSN message can only contain around 1600 characters... when you take into account the URL encoding required to send any usefull bytes into the overflow, you've only got around 500 bytes to work with for your exploit to run.

Hmm, ShellExecute() the problem?

[mattgreen]

I suspect a great many apps have (until recently) just blithely passed commands that have user input into ShellExecute(). Obviously, you can't do that, a fairly clever user can figure out how to get someone else to run a command on their system without their explicit consent. Note that MSDN doesn't mention anything about the possible security implications of it, which is why MS is being blindsided by it. Now, a ton of apps use ShellExecute(), it is the recommended way to launch the correct web browser on a user's system. What I did in my app was before calling ShellExecute(), extract the protocol and compare it against a whitelist of allowed protocols. In my case, I only allowed http, https, mailto, and ftp. If it wasn't one of those four, I just didn't do anything.

Re:Hmm, ShellExecute() the problem?

[rjstanford]

The vast majority of programs fail to properly guard against user input. Its no different than the number of non-bind-var database applications that don't properly escape characters every time, allowing you to enter in a username like x'; delete * from users; and have it actually go through. This kind of hole is a lot more prevelant than most people would like to admit - both at a filesystem and at a database level. One of those things that people tend to ignore when they wonder why it takes large companies so long (and costs so much money) to do development is the testing and prevention of security holes like this. And they still appear anyway - but a whole lot less than they might.

Re:Goes to show...

[Frizzle+Fry]

Opening up IE and doing the same caused explorer.exe to open. It doesn't look good. Maybe they will fix it in the final version of SP2?

The IE situation was discussed before. Even though it works if you actually type it in the address bar, it won't work if you try to access the same uri via clicking a link, or script in a webpage, or whatever. Similarly, if you type a file:// path to a local exe into the address bar, it will run, but that doesn't work via a link.

It is a little premature

[MagicBox]

to *bash* Microsoft yet again. The article clearly stated that

Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers, .....

Unless the SECUNIA people are stupid, launching an app from within another app is what every Microsoft Application is able to do and has been able to do for many years. However I do not think that such feature exists for Microsoft products only. What I am having a hard time distingushing is between Secunia trying to stay on the news and a real vulnerability here. I am not saying it might not exist, but as of this moment I do not see anyone able to run a Shell() command within your app, unless they have gotten to your app, which means they have gotten to your computer already. Also this has existed for a long time. Why now? I might be completely wrong however, and someone at Secunia knows something they are not sharing. I advise them to share any info as soon as possible. The reason I am a little pissed is because in my company I have thousands of Word and Excel documents with thousands of lines of VBA code. With news like this, I smell a panic meeting early in the morning tomorrow which might be nothing more than FUD from Secunia. Honestly I am at a point where I am having a hard time trusting anyone anymore. Hackers want to be my security gurus, OS makers rant and rave about their respective OSes and how secure and reliable they are(only to issue security patches soon after), whole campaigns asking people to boycot a product because of vulnerabilities and use X product, only to find out that X is vulnerable as well. If you look at the stack of firewalls and security appliances at my company, it looks like we're building the walls of damn Troy. I joke with the security guys about the kind of attack they are preparing against. There is hope of course.....but how long before it's too late?

Emacs on version 21.3

[DanTilkin]

According to http://www.gnu.org/software/emacs/emacs.html#Stabl e , emacs is on version 21.3. I don't see any reference to 0.21 on the web page or in the ftp file names. And C-h v emacs-version reports version 21.3.1.

Incidentally, does anyone know how high-quality version 1.0 of emacs was?

Re:Emacs on version 21.3

[kikta]

That's because it's actually version 0.21.3.1, but the damn thing's been sub-1.0 so long they finally dropped the leading zero.

Seriously, though - WTF do they want for feature completeness? Emacs is a kernel & a decent text editor away from being an operating system in its own right. ;-)

Re:Emacs on version 21.3

[SEE]

Actually, it's got a perfectly decent text editor -- Viper.

As you mentioned, however, they're still waiting for the Emacs kernel to be finished; it's right on the list after HURD is done. (And no, Satan is not stocking up on electric blankets, so it'll be a while.)

Re:Emacs on version 21.3

[jrumney]

The trolls are wrong. If Emacs had stuck to its original numbering scheme, it would be on 1.21, not 0.21. From ONEWS.1:

Changes in Emacs 13

* There is a new version numbering scheme.

What used to be the first version number, which was 1, has been discarded since it does not seem that I need three levels of version number.

However, a new third version number has been added to represent changes by user sites. This number will always be zero in Emacs when I distribute it; it will be incremented each time Emacs is built at another site.

shell:fdisk

[HermanAB]

shell:format

shell:win

shell:deltree%20y%20\

shell:deltree/20y/20\

shell:"deltree y \"

Damn - I'll have to install windoze just to give it a try!

Re:shell:fdisk

[mfisher]

oh- but seriously do it - you will never go back!

Re:shell:fdisk

[HermanAB]

Here it is:
shell:windows\cleanmgr.exe

That gives a blue screen on WindowsME.

It should be really easy to find a similar crappy program in WindowsXP. Just go clicketyclick through the Windows directory till your PC crashes, then you know - blech, POS...

Re:shell:fdisk

[mfisher]

Ahhh - that reminds me of the good ol' con/con days!

I thought they were talking about something else!

[agraupe]

At school, I used the "web" toolbar to launch the command prompt (verboten). Security holes are just flying out of MS products, eh?

Re:Goes to show...

[Feyr]

firefox on my system routinely use 50% of my total ram (out of 320). that's with only 1 window open and 5-10 tabs. i'd consider that "excessive memory use"

it also does the same when im at work

though linux (the whole deal, whichever distro you use, not just the kernel) in general tend to consume insane amounts of ram, firefox/mozilla is the worst so far

I know you're a troll, but...

[qtp]

I'm going to agree with you.

This is not a flaw in Mozilla, nor is it a flaw in IE, Outlook, Word, or any other part of Microsoft Office.

This flaw is a flaw in Windows, and is typical of flaws in Windows in that the OS is expecting it's applications to handle security, will run any peice of crap handed to it by any app, and we can expect to see more flaws that are similar in nature due to the heavily integrated design of the Windows operating system.

Re:I know you're a troll, but...

[nihaopaul]

i love my windows system, when i use windows+e to open up exploror windows which i then use as internet explorer when i get to a few windows later instead of ctrl+n to pop a new ie open i still use windows+e and then explorer crashes! thats not the coolest thing yet! as exploror consumes 99% cpu resources i have to force it to quit, then the desktop just, well you know does its usual disapearing act, then even better to get it back i execute the command in windows task manager > file > run > desktop and enter, which then returns me a button with jibberish which says somthing about failing to load..blah blah. more ms crap, then my system gets a kick and the desktop returns! sweet isn't it! you can keep your puter kicking over for a long time like that, only if it runs windows! thats why i have no problem with piracy.

if i had brought the product i'd be bitching

Re:I know you're a troll, but...

ya ya ya dumbass.

funny how its only the linux fanboys here on slashdot that ever actually experience any of those peculiar problems.

Meanwhile I run complex customized scientific applications, host an internet map serving website, play the latest games, and have Prime95 investigating prime numbers taking all available CPU cycles 24/7 ... ... and have had a smooth running bug free windows computer without doing a re-install for 2.5 years.

Must only happen to those of you that do nothing but write emails, surf, and keep a diary using Office, ... or the linux fanboys that just can't handle learning how to operate windows properly. For the rest of us it all works great.

make any excuse you want, its still piracy, its still you taking and using something without paying the wages of the people that made it. (you know ... wages ... that money that buys food and rent like your parents do for you)

Re:I know you're a troll, but...

Ok, so its a flaw that when windows gets asked to do something, it actually tries to do it. hmmm ya that makes sense.

I guess in your version of Windows, anytime you tried to anything at all nothing would happen because action by windows must be a flaw!

dumbass.

Mozilla received the dangerous command. Mozilla blindly passed it along. It was a flaw in Mozilla. But the world blamed windows.

When a flaw with the same results was found in IE, you all blamed IE instead of windows.

And like that bastard president Bush, you think you can sit their yelling the most rediculous lies and seriously think that no one can see through it.

wake up!

Mozilla is Slow to Respond!

[Nintendork]

The bug I submitted was marked as "Major" due to the security implications. I submitted it in early Nov. of last year. After 24 days of finger pointing and name calling towards Redmond, someone finally admitted it's a bug. The problem still isn't fixed. It gets the occasional comment and that's about it.

I'm sorry, but if it takes 24 days to get past the name calling when confronted with a security flaw deemed major, OSS doesn't stand a chance.

-Lucas

Re:Mozilla is Slow to Respond!

[walt-sjc]

That's becaues it's NOT a bug in mozilla, it's a massive security hole in Windows. Mozilla finally decided to patch it for mozilla because MS was too damned lazy to fix it. As we now see, this massive windows hole affects other products too. Of course, NO other platform has this particular security hole (surprise surprise...)

If your flash plugin had a security hole, would you expect Mozilla, Opera, IE, etc to filter certain access so that security hole could't be exploited?

No, MS is responsible for the security of their own products.

Re:Mozilla is Slow to Respond!

[whereiswaldo]

The bug I submitted was marked as "Major" due to the security implications. I submitted it in early Nov. of last year. After 24 days of finger pointing and name calling towards Redmond, someone finally admitted it's a bug. The problem still isn't fixed. It gets the occasional comment and that's about it.

Finger pointing? Name calling towards Redmond? You are _severely_ misrepresenting this bug.
(to those curious: please read the bug info for yourself!)

I'm sorry, but if it takes 24 days to get past the name calling when confronted with a security flaw deemed major, OSS doesn't stand a chance.

I'd maybe lend more credibility to your statement if you weren't the bug submitter (and thus very biased). It might be major to you, but few people will be affected by this problem because a) not many people use compressed drives and b) not everyone runs windows. Don't expect people to run over and pat you on the back for finding a bug. If you think getting bugs fixed in a proprietary software company is always straightforward, then I wonder if you have experience working for a proprietary software company.
OTOH if it is very important to you or your company that this bug is fixed, why not pay someone to fix it?

Re:Mozilla is Slow to Respond!

[sw155kn1f3]

Hey!
Do you know the first rule of secure programming?
DO NOT trust input data.
If browser gets data and blindly passes it to the OS, well.. that's a bad browser. I don't see MS fault at all.

Re:Mozilla is Slow to Respond!

[Tony-A]

I'm sorry, but if it takes 24 days to get past the name calling when confronted with a security flaw deemed major, OSS doesn't stand a chance.

There will be differences of opinion. It can be even worse to rush into fixing the wrong problems prematurely than just ignoring them if they don't seem to be doing any harm.

That said, it seems that this, and its exploit potential, has been "known" for quite some time, with a fair chance that some black hats are a bit annoyed that some of their repetoire has been exposed. Apparently Microsoft was also displeased.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed" [Emphasis added]

No exposure?

Re:Mozilla is Slow to Respond!

shows how little you know then

Re:Mozilla is Slow to Respond!

[csk_1975]

I'm sorry, but if it takes 24 days to get past the name calling when confronted with a security flaw deemed major, OSS doesn't stand a chance.

I don't understand what the problem is here. The OS in OSS means "Open Source". You have the source so (if you have the ability) you can fix the bug - and if you are civic minded enough you can submit your patch and give something back to the project. This is why OSS does stand a chance.

"Use the SOURCE Luke"

Re:Mozilla is Slow to Respond!

[Gordonjcp]

It's nothing to do with the browser. Read the bug report. Find and read the relevant MSDN article, if you like. It is not even a bug in Windows. Windows does not pass the security information between partitions.

Re:Mozilla is Slow to Respond!

hm.. really.. I was under an impression grandparent talks about shell: bug...
had to click on that link, sorry :)

Re:Mozilla is Slow to Respond!

No, it's not a bad browser. According to your "first rule of secure programming" it's a bad OS, since the OS trusts input data comming from the browser. Then again, maybe your comment was meant to be ironic.

Re:Mozilla is Slow to Respond!

[shaitand]

The browser checks to see if it knows what to do with it, generally if it does, it blindly passes it to another application (plugin or whathaveyou), if not it blindly passes it to the OS which may or may not have a handler for that type.

First there shouldn't even be a shell uri in the OS! Second, there is a vulnerability IN THE SHELL URI which escalates the priv level to that of the user.

If Mozilla passed the data along and said, here ya go it's good stuff, completely trusted. That would be one thing, but mozilla passes it along and says I have no clue what this is or where it's coming from and have no reason to believe it safe in any fashion. You have any ideas?

If it's the RIGHT data, then windows tells itself it was the current user and not some untrusted guy off the web who gave it that data. The bug is in windows!

Hell the entire scheme or uri handling in windows is fscked up. There shouldn't be any uris which cause local execution!

Re:Mozilla is Slow to Respond!

[karstux]

I'm not familiar with the mozilla development process, but surely submitting a patch isn't a guarantee that it will end up in the Mozilla "distro". Someone will have to audit the submission, and accept or reject it based on certain policies.

So while "Open Source" means that everyone can fix the bug in their personal version of a software, it doesn't mean that just anyone can fix a bug in general.

To illustrate my point, look at how MNG support was removed from Mozilla, despite many people arguing against it.

Re:Mozilla is Slow to Respond!

[Krach42]

Yeah, "NO other platform has this particular security hole"... um... yeah... except that the underlying cause of the hole is the same problem that exists with the OSX URI handling code, and thus, every single MacOS browser was exploitable by this type of "feature" until Apple fixed the real problem.

Re:Mozilla is Slow to Respond!

[FictionPimp]

You could always release the patch as an extention or a 3rd party build while you wait.

Re:Mozilla is Slow to Respond!

[Nintendork]

If you read the page, you'd see that this has to do with the ACLs on the downloaded file, not compression. And the fact that "Not everybody runs Windows" isn't a good excuse. If you read the page, you'd also see in the first comment that someone else bumped up the severity rating to Major. To me, it was just an annoyance bcause I had to manually reset the permissions wherever I downloaded files to. I do agree with that person though that it's important from a security perspective. When the hell did I ask for a pat on the back? I saw a series of posts claiming that Mozilla fixes stuff fast, but my own experience is the complete opposite.

-Lucas

Re:Mozilla is Slow to Respond!

[jonadab]

> I'd maybe lend more credibility to your statement if you weren't the bug
> submitter (and thus very biased). It might be major to you, but few people
> will be affected by this problem because a) not many people use compressed
> drives and b) not everyone runs windows.

You're arguing the wrong thing, or your argument is unclear. First, if you
look closely, it's not the submitter who marked the bug as major initially,
so he's echoing someone else on that point. (The someone else is not a name
I recognize as being very active in the Mozilla community, but that is
neither here nor there; my point is, accusing the submitter of being the
only one who things the bug is major is unfair.)

Second, you reason from "not everyone" to "few". Non sequiteur. If (as is
probably the case) it is true that few will feel the direct impact of this
bug, it is not because few use Windows; Windows is one of the three major
platforms and has lots of users running Mozilla.org browsers. The fact that
the bug is platform-specific is significant for a different reason.

Probably the real reason it has not been fixed yet is because it involves
the behavior of Windows API functions with respect to NTFS properties.
(There is a secondary reason, which I'll get to presently.) Not only is the
issue highly platform-specific, but it involves *arcane* features of the
platform in question. Many developers, including many developers who use
Windows, do not have experience dealing with that sort of thing. Someone
will probably have to do research. In fact, if you look at the bug, you'll
see that people have been doing research. You see the results of this in
comments 4 and 7. Research takes time.

It is also worth noting that it is marked as "major" because it potentially
has security implications. This does not mean that it is major as bugs with
security implications go. Quite the contrary; as security issues go it is
rather minor. (More on that in a moment.) The fact that the assignee (and
the qa, Hixie) has left it marked "Major" indicates to me that Mozilla.org
takes all security issues seriously.

Having said that it is minor as security issues go, I need to present the
reasoning behind that statement. Foremost, this only impacts the filesystem
permissions given to a downloaded file. Filesystem permissions are of vital
importance on a server, but on a Windows desktop they usually don't matter
at all. Windows desktops almost always have only one real user (and, frankly,
doing otherwise is an enormous security issue, much larger than this little
thing we're talking about, due to the presense of certain API design flaws
that make it possible for any user, even a guest user, to get arbitrary
privileges by passing strategic messages to privileged processes).

Also, we're talking here about a file that has been downloaded using a web
browser. There are situations where its permissions would matter (so yes,
it needs to be fixed), but those situations are not the dominant case, not
by quite a long shot.

Third, the bug in question results in the file downloaded not having the
same permissions as the folder where it is located, but if the folder in
question has strict permissions at all, then it would be quite difficult
for anyone without the necessary permissions to get to the file, since that
would involve navigating through a directory whose contents can't be listed.
It might actually be easier to exploit the API and get localsystem privs.
(Yes, there is an edge case where the directory's privileges merely prevent
modifications, and the bug has a greater potential impact there.)

Finally, and perhaps most significantly, the permissions that the file gets
are the same permissions it would get if the user downloaded it to the temp
directory and then moved it to its final destination (which is exactly what
is happening, in fact) using, say

Re:Mozilla is Slow to Respond!

[Nintendork]

That would be fine and great if I were a programmer. Like the majority of the population however, I am not.

-Lucas

Re:Mozilla is Slow to Respond!

[csk_1975]

So let me get this straight. You didn't pay for the product, you find a problem with the product, if you had the ability you could fix the problem yourself, but you don't and you can't fix it so you tell the people who gave it to you that there is a problem and ask them to fix it and to give you the fix. When they don't fix it as quickly as you'd like you rant in a widely read public forum that because of this "OSS doesn't stand a chance".

Even taking into account that there seems to be some e-penis competition about whether proprietary or OSS is more secure and who releases patches faster. BUT. Does the above strike you as being reasonable?

no command prompt? use batch files!

[Tiuq]

At school the command prompt is disabled, and you can't right click and make a new batch file, and you can't rename the extensions so in order to run some commands all you have to do is write them in notepad, and then tell it save as "all files" and then give it the .bat extension. We sure did have a lot of fun with the netsends :P until someone put it in a loop and the teacher found out.

Re:no command prompt? use batch files!

[Tzarius]

At school the command prompt is disabled, and you can't right click and make a new batch file, and you can't rename the extensions so in order to run some commands all you have to do is write them in notepad, and then tell it save as "all files" and then give it the .bat extension. We sure did have a lot of fun with the netsends :P until someone put it in a loop and the teacher found out.

An example of why Windows (all versions) is so hard to lock down. It's been said before, but some people just don't get how bad it is to design security around the os, rather than the *n*x / BSD model of building the os around security. Getting into the registry (and in the case of thin clients, onto the server C:\ drive) is just too easy.
I pity the poor sysadmins who are told to lock down their networks, when any Joe with a way to get data into the system can start a prompt and run any program. There's no way to stop that in Windows, but it's real easy in Unix/Linux.

Re:no command prompt? use batch files!

[makomk]

At school the command prompt is disabled, and you can't right click and make a new batch file, and you can't rename the extensions so in order to run some commands all you have to do is write them in notepad, and then tell it save as "all files" and then give it the .bat extension. We sure did have a lot of fun with the netsends :P until someone put it in a loop and the teacher found out.

Let me guess... your school runs Windows 98. Windows 98 is absolutely impossible to secure - generally, anyone who can log in can do anything they like to the (local) system, given sufficient knowledge and skills. Windows NT/2000/XP are better, though enabling proper security breaks lots of software.

Re:Goes to show...

[pep11]

ok the notepad maybe is harmless, but
what if the attacker actually launches IE?

Re:Goes to show...

[pyrrhonist]

firefox on my system routinely use 50% of my total ram (out of 320). that's with only 1 window open and 5-10 tabs.

There's something wrong with your system, then. I had to open 20 windows and 23 tabs to get even close to that (145MB).

OT: was Re:I confess!

[Flower]

Yeah, they were great for all about five minutes. After that it was like the grits cooled off and it just wasn't the same. :P

Re:Goes to show...

[walt-sjc]

It's AMAZING what you can do in 500 bytes... Some of the recent worms are good examples.

Re:Goes to show...

[walt-sjc]

No. It's saying "I have a URI I don't know what to do with." This is how non-http URI's work to launch external views such as real player with RTSP:// and such.

Creating a URI handler to execute shell commands is boneheaded. The Mozilla guys knew this but MS failed to fix it. And now we have more MS apps that don't work around this stupid thing. Any guess as to how much other software doesn't block access to this massive windows security hole?

About the only thing the Mozilla team did wrong is underestimate the stupidity of MS.

Re:Goes to show...

[Switchback]

You've got it completely wrong. As discussed at length when "Mozilla exploit" was announced, this is clearly a Windows bug and not a Mozilla bug. This bug only exists on Windows 2000 and XP. Not on any other OS (Linux, Sun, AIX, Mac, etc.) The fact that Microsoft themselves have supposedly fixed this in XP SP2 tells you that even they think it's a bug.

Mozilla doesn't do what you claim it does. It doens't just see a "shell:" URI and execute it. In fact, Mozilla doesn't know anything about the "shell:" URI, just like Mozilla doesn't know about the "xyz:" URI. When Mozilla runs across a URI it can't handle itself (e.g. http or ftp) it asks the OS if there is an application registered to handle this type of URI. The OS says, "yes, please launch this application with these parameters", and Mozilla does so. This is no different than clicking on a Real audio stream link and having it launch the Real player for you...or a PDF link when you don't have the plugin installed, but you do have Acrobat Reader.

The real bug is that the application that's launched via the "shell:" protocol is the one not properly checking its parameters. Mozilla is just doing what the OS told it to do.

Re:Goes to show...

That's only because they have to compare honestly to VI, which is far superior...
...OMGVIVSEMACSTROLL

Anybody tried this on WINE?

[ispeters]

I don't have WINE installed on my system, or the time to install and configure it, but since WINE re-implements the Windows API, wouldn't it have the function that Mozilla/IE/Word call to execute shell: URLs? Has anybody tested this vulnerability in WINE? Does anybody care what the results are?

Ian

Cisco

[thegameiam]

>Cisco, when motivated, can get things done right in the first release.

The key here is "when motivated" which seems to coincide with the output of rand(x)

Re:Goes to show...

[1u3hr]

Corel has yet to release a product ready for prime time

CorelDraw 2, back about 1991 was excellent. Since it was pre-Truetype and ATM, it had is own font engine, which was quite nice, BTW, if non-standard. Version 3 added support for TT and ATM fonts. I did a lot of work with those appas, still have Draw 3 on hand. I wasn't thrilled with what they did to Ventura though, I stick with the DOS version. As for WordPerfect, once they got the hang of Windows its main problem has been marketing rather than anything wrong with the product.

Re:Goes to show...

Linux consumes all the ram you have, yeah.

That's by design. Any ram that's not being used is being wasted. Empty ram is a disservice to everyone -- stuff that could be instantaneous will have to be fetched from disk, electricity is going for nothing, etc. So if you have any empty ram, linux will cache things to speed up access for you. This is a good thing. Except that it leads to clueless folks saying "omg linux is always using ALL MY RAM what a hog!"

All Your Vulns Are Belong To Us?

Import following settings to your registry:

[HKEY_CLASSES_ROOT\vuln]
"URL Protocol"=""

[HKEY_CLASSES_ROOT\vuln\shell\open\command]
@=" cmd.exe /C \"%1\""

Open "vuln:||start%20notepad.exe" with IE/Mozilla/MSWord/etc., then notepad should be started.

This way you can create unlimited numbers of vulnerabilities similar to shell: one. However, does these vulnerabilities belong to IE/Mozilla/MSWord? They are problems of insecure protocol handler themselves, aren't they? (e.g. if WMP has a bug and is exploitable through mms:// URL opened in the browser, it is just a WMP's bug and not browser's).

But I can use any mouse I want too.

And shove my one button mouse right up your sorry wintel worshiping *ss.

Re:But I can use any mouse I want too.

Then wrap it around your neck and hang yourself

Re:Goes to show...

[gaspyy]

You CAN download SP2 RC2. It works just fine on my laptop.

You so full of it and you know it

no need to say anymore

Been there done that.

[TheLink]

Uh, I've been doing it for IE and MSN Messenger for the past few weeks - since I was forced to switch from W2K to Windows XP at work.

Create a user called veryrestricteduser and put it in a new morerestricted group and remove it from the Users group. I made the filesystem permissions more restrictive for members of that morerestricted group - so they can't even list files in c:\ only traverse it.

My shortcut for IE is:
C:\WINDOWS\system32\runas.exe /savecred /env /user:veryrestricteduser "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

Because of the /env (use current user's environment) what you need to do is allow the restricted user write access to your IE required directories- e.g. Favorites, Cookies, Local Settings.

Alternatively you could remove the /env and run IE in the veryrestricteduser's environment and allow your normal user read access (and probably write access) to the veryrestricteduser's environment/profile. Then you don't have to allow the veryrestricteduser access to your normal user's directories. The more finely grained ACLs on Windows NTFS could make certain things more convenient.

The latter method is probably safer, but doesn't allow you to share Favorites and Cookies when you do want to browse as your normal user for whatever reason.

You'll probably want to change the icon back to one of the IE icons.

The runas thing is klunkier than setuid and you can't do /savecred on Win2K, so you need to enter the password everytime you launch the shortcut for Win2K or WinXP Home. Savecred works on WinXP Pro.

If you don't trust other applications I think you can do a similar things with them. For stuff that you really cannot trust, you should run them on a VMware VM or a separate machine.

Re:Been there done that.

[pe1chl]

I hope for you that it is as secure as you think.
Remember that Explorer and Internet Explorer are very closely related on 2000 and XP. You will open a HTML page rendered by IE with a simple click in the explorer. That one will not run as your restricted user.

We run all our users with very restricted permissions (they are not even allowed to write anywhere on C: except in their profile dir) but I am not so sure that some exploit could not silently creep in. Parts of IE are so closely related to the OS that they may have elevated privileges...

Re:Been there done that.

[TheLink]

Well on my PC the My Computer zone is pretty much locked down - there's really very little reason for HTML in the My Computer zone to run active scripting, active-x and other similar crap (e.g. store cookies- doh!). Esp since I prefer the windows explorer classic mode anyway (the stupid stuff like big icons on the left takes up space and is rather useless). Most of my zones are locked down in high security settings. Except for the Internet zone, and my own custom zone which I added.

To configure the My Computer zone security settings, change Flags to 1 in
HKEY_CURRENT_USER\Software\Microsoft\Windows\C urre ntVersion\Internet Settings\Zones\0

Alternatively as admin, use the group policy (or similar Active Directory stuff) to change the settings and import them to all users. You can also force them to use "machine settings".

Another thing: if you already have a "veryrestricteduser" IE running, clicking on an HTML page actually opens a _veryrestricteduser_ IE window. That's even tho I have launch as separate process on. I just confirmed it again.

Dunno why but the KDE people are also making Konqueror like IE in their system.

Re:Goes to show...

[prandal]

With Windows NT 4, it was SP4 before it was anywhere near stable.

Re:Goes to show...

[Gordonjcp]

If you can convince someone to run the arbitrary program with the buffer overrun, you've already won since you've convinced them to run an arbitrary program for you.

The point is more that you could link to a Word .DOC (for example) with a suitably "crafted" filename, that will exploit a buffer overrun vulnerability in Word.

Re:Goes to show...

[UserGoogol]

Don't confuse pixie dust with angel dust.

Re:Goes to show...

[aichpvee]

It's definitely not lacking in bloated file size.

Re:Goes to show...

[aichpvee]

I've got to agree, never seen a version of CorelDraw that wasn't ready for prime time.

Is Word97 vunerable?

[Forget4it]

Is *Word97* vunerable?

I never got a round to updating since then.
There were 2 service pacs though.

Less features more security?

Abiword ain't too bad neither

Re:Is Word97 vunerable?

[mfisher]

no - i dont' belive so :)

Re:Mac's safer if no MS code on them

[zoso]

but it doesn't have so who cares if it would/or wouldn't. lets speak about the facts and the fact is that windows is vulnerable to all this bugs/exploits. MS has more market share and it's MS that gets all the money so it's MS that should spent money also on securing their products.

Re:LINUX HYPOCRITES

[Mongo222]

Congradulations. You have just posted the dumbest post this week!

Savior as SP2

[gad_zuki!]

What about all the win2000 installs?

MS seems to be telling the world "buy XP or else" when they should be patching all vulnerable systems ASAP.

Granted, 2K still gets security patches but its not going to get that new firewall or IE changes. There are a lot of win2k installs out there which will be around for quite sometime until Joe User's computer dies and he buys a new XP machine. Of course, the fate of the 2K machine is still unknown, it could be given to one of his kids, parents, etc.

The zombie problem cannot be solved by SP2 alone. Win2K needs to be addressed just as fully.

DOS and social engineering

[gad_zuki!]

Obviously, I can DOS your computer by overtaking your resources by running some app a bazillion times.

I can also use launching apps to say I'm from MS, Yahoo, etc and tell the user to login and change their password (among other things). What user will say "I see you can run apps remotely on my computer but I know this is just the shell URI problem!"

>Or am I just reading this wrong?

Yeah, you're thinking like a techie and not a user. Problem #1 in the industry and here as well.

Click here if

[alex_ware]

(shell:windows\system32\format.com)You hate Using windows (shell:windows\system32\logoff.exe)You want to LOGOFF i hold no responsibility for the above links do not click them

Re:Goes to show...

>So you can launch a bunch of Notepads, so what?

A better system would be to have your page download a small trojan and then launch that trojan from the cache using the URI exploit.

Re:Goes to show...

[IamTheRealMike]

What the original poster was probably meaning, if he had a point at all, was that non-Windows systems don't do this sort of "command-line-as-a-protocol" bullshit because it's quite obviously the wrong way to do things.

Sure about that? If you're in Firefox/Epiphany with Gnome installed (you don't have to using it) try opening this URL: ghelp:///etc/bashrc - Slashcode eats the slashes if I try and put that into an href but obviously that wouldn't occur elsewhere.

For those of you who don't use Linux (or use Konq/Opera), it will open your /etc/bashrc file in gedit.

Note that KDE is equally vulernable to URL handler attacks, see the telnet handler bug a while ago.

Re:Goes to show...

You've seen a version of Corel that doesn't crash all the time? Which?

To be fair, I haven't used it heavily since 8, and I've used 10 only a little.... which crashes all the time (try stitching large images in PhotoPaint, ok, you were talking about Draw...)

Re:Goes to show...

IIRC that was fixed in 0.9.2

Re:Goes to show...

While I can't back it up with links, FF is terribly unstable on my dad's Win 98 box... of course you could say that it's the fault of the underlying OS - Win 98 first edition - but MSIE is remarkably more stable.

Mozilla bug?

[raidient]

Some of the media are saying that some MS apps. are vunerable to the 'Mozilla bug' as if somehow Mozilla causes the problem.
Mozilla should, to protect its reputation, cease allowing downloads of its apps for MS systems, and issue a press release explaining that because MS software does not meet their standards, that they will no longer support Windows versions.

Re:Goes to show...

[swv3752]

Strange, my whole system uses 240-340mb RAM out of 512. Of course it also uses no swap so I consider that pretty good.

Here at work, 244964k used, and 34564k paged. This is on win2k.

Re:Goes to show...

[Feyr]

no i dont mean the ram used by the caches. i know about that.

i am talking about (very) simple applications gobbling up 15 megs EACH (took at look at KDE recently?)

Re:I thought they were talking about something els

[Fuzzums]

I used the shell command of AutoCAD to hack myself to DOS when everything was shielded off. The other option was Word Perfect.

After that I found out the password for the menu was hard coded in the exe file (searched for 'password' and looked for interesting ascii). After that they moved the password wo a separate file and made it hidden. It took about 3 sec. to find that file.

Etc etc. Anyway... Those were the days, but finding ways to get shells is still funny and interesting ;)

Re:Goes to show...

[SillyNickName4me]

> though linux (the whole deal, whichever distro you use, not just the kernel) in general tend to consume insane amounts of ram, firefox/mozilla is the worst so far

Then explain to me how my old p200mmx with 96MB memory runs Linux (slackware with a 2.6 kernel) + X + Windowmaker + Firefox while anywhere recent windows versions (2000, XP) do not even boot on it (don't support the CPU, too little memory)

You, like many out there, are seeing the effects of KDE 3.x and think it is a Linux problem.. well, simple solution, don't install KDE 3 if you don't have the hardware for it.

On Linux that is actually an option you know... you have choice in such things, and can 'tune down' a configuration to fit well within the limits of your hardware, even when that is hardware from more then half a decade ago.

Regarding development time..

[wurp]

A lot of the time it makes sense (sickening as it may be) to take a shortcut that will take longer to fix in the future than it would have to do it right in the first place.

If you have enough money to develop for 3 months and you have the choice of producing a working product that it will take 6 months more to get right, or producing half of a working product that is done right, the first is almost always the right choice. It's hard to get ongoing development money based on half of a product. Which means, of course, that it will never get done right, because no one is financing it.

Re:Goes to show...

[SillyNickName4me]

> Prudent people might be willing to risk blowing up their pre-release browser for functionality and security, while not be willing to risk blowing up their entire OS with a pre-release patch just to get their browser updated.

Prudent people would eb runnign a stable enough OS that isn't so insanely and cluelessly integrated.

I upgraded my FreeBSD workstation and server last night. Including recompiling the entire operating system and 2 kernels, that took less then 2 hours.
I was quite able to do it in such a way that the upgrade was tested, and that a complete rollback woudl be possibe till the very last moment (and is still pssoible now untill I tell the system to throw away the data needed for it)

OS ipgrades that FIX things instead of introiducing tons of new stuff should never ever cause such problems as you are scared of. WHen they do, it points at one of the following:

- the underlying design was so horribly flawed that it was impossible to fix it without breakign the system
- the upgrade installs new functionality that interfers with your installed software
- the upgrade is broken

Only the first one is not always preventable, but should be very easy to document, the peopel creatign the upgrade KNOW they are changing the design or interface instead of fixing something so it behaves as designed.

I know that what you say is reality when using Windows, but why not try to get to a technically correct conclusion? All you do now is accepting the BS that is being thrown at you since people who do care happened to provide a workaround for the problem instead of actually fixing the problem. Result? you will run into the problem again within some time. Unless you are extremely short sighted, it is very easy to see which costs the most.

Re:Goes to show...

[Feyr]

actually i don't use KDE, and haven't in over two years. i'm currently using openbox, and blackbox before that (moved due to lack of xinerama support)

right now i have a little over 20 applications loaded, of which a lot are terminals. the X server itself takes 10% of my available ram. firefox takes 15% (one window, one tab), openoffice 9% (with one 3 pages document loaded), the java vm 7% (proprietary CVS-like application) and evolution 7% (with lots of mails and accounts, that one is reasonable).

now that's some of the lowest numbers i've ever seen. it isn't rare the X process is around 40-50% along with firefox. that doesn't leave much for the rest of my applications to run, especially since the X process can't be swapped out (always being used).

this box is a p3 500 with 375 megs of ram. it IS insane use of memory.
linux can run on a decade-old computer in shell mode no problem, but don't even think of running X on it (i tried, it "run" but, like running windows xp on a 486, you won't do much with it)

btw distro is debian sid, with the "prelink" package (did the same before i installed it too)

Mod Parent Down!

[Bob+Uhl]

It didn't open anything in gedit (Firefox 0.9 on top of Fedora)--nothing at all. It did open the help browser, which said that ///etc/bashrc (and /etc/bashrc, when I tried it) didn't exist (presumably, meaning that it's not a GNOME help file). So if the problem did exist once, it certainly doesn't now.

Not that I can see how running gedit as myself on a file is a bad thing.

Re:Mod Parent Down!

[IamTheRealMike]

Well, does /etc/bashrc exist? It's not that it can open stuff in gedit, it's that it'll open any file at all with no confirmation, which is what the parent poster was saying was a bad thing

Re:Mod Parent Down!

[Bob+Uhl]

Yes, /etc/bashrc exists--and doesn't get opened. Who cares if a help browser opens a file anyway? Complaining that ghelp: launches a help browser is like complaining that http:// launches a web browser. It's a safe protocol: HTTP because it doesn't allow modifications (not quite true, but...) and GNOME Help for the same reason.

Re:Goes to show...

[mpe]

This is even further mitigated in MSN, since an MSN message can only contain around 1600 characters... when you take into account the URL encoding required to send any usefull bytes into the overflow, you've only got around 500 bytes to work with for your exploit to run.

All malware writers need to do is to discover the concept of "bootstrapping" their exploits.

Re:Goes to show...

[SillyNickName4me]

> this box is a p3 500 with 375 megs of ram. it IS insane use of memory.

As someone else pointed out in this thread, it is not insane, and depends almost entirely on how much memory you have installed.

Have you for example ever tried what happens when you remove 128mb memory? or add 128mb?
Chances are it will run just as smoothly with 256mb, and maybe even less.

Now, try to get XP to boot with less then 256MB, let alone running any application whatsoever.

> linux can run on a decade-old computer in shell mode no problem, but don't even think of running X on it (i tried, it "run" but, like running windows xp on a 486, you won't do much with it

And that is complete and utter rubbish, sorry.

First of all, windows versions starting with win2k simply do not support the 486, and actually support nothing lower then a 686 class cpu (pentium-pro and up), so no, you can't even try booting it on such hardware.

Next, people are running Linux + X on 486 and early pentium class machines. It does require having enough memory, sure, but depending on what you are doing, enough can be anywhere between 32mb and 2gb on such hardware. For running X + firefox you will definitely get away with 128mb, 256 will really make things go tho. Why? because of the caching it allows.

I do use a only slightly more recent machine myself as I already pointed out, and I do run X on it (you can read, can't you?). I don't know which percentage of memory Firefox uses on that machine, but I do know that it is never ever swapping, and feels more then snappy enough to use for browsing. I don't run a java vm on that machine tho, that is the one way in which to get that machine to swap like hell if I want it together with X.

Anyway, the p200 is mostly used as a browser and an X terminal. When running non browser and non multi media stuff (ie: OOo) it runs on a server, which is doing that job for upto 4 concurrent users currently. Machine is a dual cpu pII 333 with 512mb memory. Despite the fact that this machine runs upto 4x OOo, 3 virtual machines with apache2 with php, a mysql server, squid and some mail related stuff, this machine is still never ever swapping.

Ah well, all you seem to be able to convince me of is that you have little clue what the numbers mean that you are seeing.

Sadly enough, this is exactly why the old 'windows' way of just saying x% of the resources are in use makes sense, it is perfect for people who are clueless as to how to interpret actual information, and/or clueless about the workings of an operating system.

For example:
> now that's some of the lowest numbers i've ever seen. it isn't rare the X process is around 40-50% along with firefox. that doesn't leave much for the rest of my applications to run, especially since the X process can't be swapped out (always being used).

First of all, the fact that the X server is always used doesn't mean that all memory it may have allocated for a zillion different reasons is always being used and can't be swapped.
The days where Unix like systems would swap entire processes only are long gone, and Linux is able to *gasp* do what for example Windows can do as well.. swap memory in/out by memory page (4k for traditional x86 systems, tho nowadays pagesize can be set to different values depending on requirements).

It does so depending on a few conditions, one of which is if the memory has been used recently or is likely to be referenced in the very near future . How busy or not the process is that its part of however plays no direct role in this.

You may also find that when starting a new application, the OS can all of a sudden find available memory by dumping some cached data, and unmapping some not recently used files from memory.

As said before by someone else, Linux (and the same applies to for example FreeBSD) tries to make optimal use of available memory instead of trying to keep as much of it free as possible.

So do yourself a favor, and learn what the numbers mean and how the underlying system works before even trying to make sense of them.

Re:Goes to show...

[Feyr]

alright. i'll rephrase that. the X server ISN'T being swapped out. better now?

and i'm using %s because it's just easier for a quick post on slashdot. if i ever want to do benchmarks i'll use hard numbers

and that still doesn't explain the 150 megs (happy now?) of memory use by firefox. that's RSS, not VSZ

enough of it. until you (or someone else) can give me a solution, or at least a reasonable explanation to that insane memory usage, i stand by what i said.

and quit spouting off your bullshit about caches, and read what i said properly. i already stated this isn't a cache issue, it's a pure memory issue

Re:Goes to show...

So, next year?

Re:Goes to show...

[SillyNickName4me]

vsz 56908K rss 47772K here.. and?

Re:Goes to show...

WordPerfect is at 12 now? I remember when they went to version 6 and a month or so later micrsoft went from Word for Windows version 2 to version 6. ( it was sometime ago but i clearly remember there was no version 5 ) [a google search found http://www.emsps.com/oldtools/mswordv.htm ] granted there was a Word for DOS 5.5, but after that they dropped version numbers like a hot potato.

Re:Goes to show...

[kundor]

It has nothing to do with KDE. Linux always uses all your ram; this is a good thing, unused ram is wasted.

KDE 3 runs fine on pentiums with 64 mb ram.

Re:LINUX HYPOCRITES

ya thanks actually by being totally in denial, and blaming windows for things that are not the fault of windows, your insult (like that is a real insult) has absolutely no meaning.