Slashdot Mirror


MSN, Word Vulnerable To Shell: URI Exploit

LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."

22 of 392 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  2. Open Source vs. Microsoft by ZZeta · · Score: 4, Insightful

    Well now, let's see how long it takes for their patch to come out.

    1. Re:Open Source vs. Microsoft by LostCluster · · Score: 3, Insightful

      Well, what Microsoft users have shown time and time again is even when the patch does come out, it's often not applied on many machines.

  3. Re:Word 2004 for OSX Safe? by afidel · · Score: 4, Insightful

    Well since the Mozilla URI exploit was specific to XP I would imagine that these exploits would likewise be limited to a vulnerable OS.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  4. Ready...set...GO by linuxwrangler · · Score: 3, Insightful

    By the time the Mozilla story was posted on Slashdot the fix was already available - the link was even posted with the story.

    I don't see a patch posted with this story so I guess there's no way Microsoft can win the patch-speed race for this bug - all we will be able to do is place bets on just how much slower Microsoft is. Predictions, anyone?

    --

    ~~~~~~~
    "You are not remembered for doing what is expected of you." - Atul Chitnis
  5. Re:Goes to show... by Anonymous Coward · · Score: 5, Insightful

    The URI exploit in its general form is mitigated by the fact that you can't pass any command-line arguments to the command. So you can launch a bunch of Notepads, so what? However, you CAN type a filename in and have it open in its associated application. If that filename is too long, you can exploit a buffer overflow in the helper application. There happens to be a plentitude of client applications on a standard XP box with buffer overflow possibilities. Once you're there, go anywhere you want with the privileges of the user on the XP box (which is usually admin, and if not, you can usually get admin without a lot of effort).

    Anyway, SP2's memory protection would have prevented the overflow attack. It would not have prevented the most general (and less harmful) form of the attack, however.

    What the original poster was probably meaning, if he had a point at all, was that non-Windows systems don't do this sort of "command-line-as-a-protocol" bullshit because it's quite obviously the wrong way to do things. Security through obscurity works in a lot of cases because people think "nobody would EVER design an OS that did THIS" and they never bother to look. Well, now someone's looked and found an ancient kludge coded by someone who probably doesn't even work for MS anymore. And more man-hours are going into fixing this bug than would have gone into creating a proper implementation of whatever this goober was trying to accomplish in the first place.

    That said, Open Source isn't pixie dust that makes everything happy and secure. Stupid things happen in Linux. They just happen in the open where people can find them and fix them before applications start relying on them to function.

  6. Difference between MS and the rest by Todd+Knarr · · Score: 4, Insightful

    I think the handling of this problem demonstrates the difference between Microsoft software and other software like Mozilla. In Mozilla, the problem didn't even require a real patch to fix, just a quick config setting to tell it not to pass things along to the shell: handler. My bet is that fixing Word etc. will require not just multiple registry changes but actual new code to allow shell: to be disabled. And odds on the first thing they try is to just add filters, and we'll see half a dozen iterations of exploits of this using different ways past the filters until MS finally includes a patch to allow it to be disabled.

  7. Re:Goes to show... by Frizzle+Fry · · Score: 3, Insightful
    Oh good, I'll go and download SP2 then

    Good. Go download it. Or don't. But at least don't be a hypocrite like half the people here and say that sp2 "doesn't count" until it reaches final release form, while firefox "counts" even though it's also in pre-release form (not even at 1.0 yet). Sort of like when people claim that IE on xp doesn't have popup blocking but firefox does.
    --
    I'd rather be lucky than good.
  8. Re:Mozilla Bug 163767 by fireman+sam · · Score: 3, Insightful

    So, perhaps Mozilla should have "bug fixes" for every windows flaw that they uncover? Wouldn't that introduce quite a bit of bloat?

    Every application that uses this scheme is vulnerable.

    Maybe someone should check to see if IE has this "bug" as well.

    --
    it is only after a long journey that you know the strength of the horse.
  9. Mozilla flaw? by ScriptGuru · · Score: 5, Insightful

    The Article's title is: Microsoft products also vulnerable to Mozilla flaw That is gross misinfomation, it should be something along the lines of "Microsoft products allow exploit of OS flaw, similar to Mozilla." The flaw itself is in the Windows operating system. It exposes access to shell functions that applications need to blacklist. Application developers shouldn't need to be concerned with "Oh, I need to stop that protocol for security." It should be the protocol developer's responsibility to say "Is this safe?"

    --
    Yet another signature that refers to itself. The irony and humor is dead.
  10. Misleading title - "...Mozilla flaw" by Slashcrunch · · Score: 5, Insightful

    The title is quite misleading on first glance.

    "Microsoft products also vulnerable to Mozilla flaw"

    If it was a Mozilla flaw to start with, my linux boxes would be vulnerable. I know its picky, but the title is not accurate IMHO as Mozilla is being used to take advantage of a Windows feature, rather than the flaw itself existing in Mozilla.

  11. Even more reason.... by Demanche · · Score: 5, Insightful

    To try out open source browsers like Firefox and Mozilla....

    Maybe its about time for some people to concider some alternate producivity suites - not just openoffice - even some suites like Corel have some intriguing software that lacks the user base of microsoft.

    Rant>./rant

    On a sidenote.. Corel lost a big share of its market to MS Office around the same time Netscape was crushed by IE. I remember my highschool used Corel at the time. Netscape was very smart to start the Mozilla Foundation insead of trying to beat MS, they are letting their supporters promote for them, gaining them some brand awareness if nothing else. Perhaps It wouldn't be so strange if Corel was to support a open source initiative, or merge with OpenOffice. The next best thing since frozen coffee for the computer geeks would be firefox and corel. Corel could sure use some geek to geek praising around now ;)

    For those of you not very firmiliar with Corel, at one point they were doing fairly well, then they kinda fell thru - had to lay off alot of people and are now trying to get back into the market.. but I personally think they face the same fate as Netscape.
    In the real world, If you loose a customer, it takes twice as long to get that customer to come back to your business, and that customer is a big factor keeping other possible business from you, as they will tell at least 10 people of their experiance.
    Based on this, even old Corel users would be hesitant or unwilling to switch back to Corel -so Corel needs a new movement. Open source anyone ;)

    Dying Proprietary Software + Open Source = Improved Code + Brand Awareness + "PROFIT" (Donations, Memberships? Support? and Smart Usage Of Your Brand Recognition)

    With so many software companies expected to bust with news of the markets this week, I wouldn't be surprised to see a few new related open source projects pop up.

    Rant> logout

    --
    Mod me down im a newf (wiki)
  12. Re:Goes to show... by Anonymous Coward · · Score: 5, Insightful

    Okay, I'll bite. Some of us have a standard of stability and completeness, totally independent of version numbers. Was Internet Explorer 1.0 a happy, complete, stable application? Is Firefox 0.9.1? I think you're fooling yourself if you think version numbers provide any sort of yardstick of the readiness-to-use of an application. I personally won't use ANY Microsoft product in a production (read: at work) environment until it has at least TWO service packs. Windows, Office, SQL, SMS, doesn't matter. Microsoft's standard is "it's 1.0 when we need to release it. it's sp2 when it's ready for prime time". Not all companies are the same way. Corel has yet to release a product ready for prime time, and WordPerfect's up to 12 or so. Cisco, when motivated, can get things done right in the first release. Open Source projects all have their own standards. Firefox 0.9.1 is much more mature and ready for prime-time than the latest PR or SP2. The Xine maintainers, who must all be insane,
    have a project that's been stable for years and it hasn't hit 1.0 yet. If Firefox suddenly released 2.0 would it sudenly be more mature? How about 3.0? What's the magic happy number? THERE IS NONE. You have to gauge each vendor, and each application, by a consistent set of rules and just forget what version number the marketing people decided it should have.

  13. Re:Word 2004 for OSX Safe? by argent · · Score: 4, Insightful

    A URI exploit in Word is a relatively minor issue, so long as Word contains a macro language that can execute arbitrary code. It's kind of like worrying about whether you left the stove on when you're fleeing because there's a cruise missile targeting your home.

  14. Re:Goes to show... by Flower · · Score: 5, Insightful
    You damn well bet it doesn't count here at work. My patching an application is entirely different than upgrading the OS with a beta service pack. I would have to go through all our departments, make sure I tweak the upgrade so it doesn't break any of the services that make us money and then go through the whole deal again once the official release is out.

    There is a big difference between the degree of risk I take with upgrading Firefox and the major overhaul that SP2 is going to turn out being. Sorry but this hypocrite isn't buying your assertion.

    --
    I don't want knowledge. I want certainty. - Law, David Bowie
  15. Re:Word 2004 for OSX Safe? by spitzak · · Score: 4, Insightful

    This is not really accurate. The Mac had a unique exploit, in that something a url did would "register" a new protocol handler. The page could then send a request for that protocol and it could execute arbitrary code supplied by the page. The second step is equivalent to the shell exploit, but without the first part it is limited to executing code already installed on the system (not that this is good, but it does not seem as bad...)

    On Windows I don't believe you can register a new protocol unless you actually execute a program. If there was a bug that allowed new protocols to be registered it would pretty much mean it is a bug that allowed arbitrary code to be executed, which would be a huge hole whether or not protocols could be registered.

  16. Re:Goes to show... by BoldAndBusted · · Score: 3, Insightful

    Um, well, the difference here, my friend, is that one is an upgrade for an application (Mozilla Firefox), and the other is an upgrade for an entire operating system (Windows XP). One risks the ability to browse , the other risks the ability to boot .

    Prudent people might be willing to risk blowing up their pre-release browser for functionality and security, while not be willing to risk blowing up their entire OS with a pre-release patch just to get their browser updated...

  17. It is a little premature by MagicBox · · Score: 3, Insightful

    to *bash* Microsoft yet again. The article clearly stated that

    Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers, .....


    Unless the SECUNIA people are stupid, launching an app from within another app is what every Microsoft Application is able to do and has been able to do for many years. However I do not think that such feature exists for Microsoft products only. What I am having a hard time distingushing is between Secunia trying to stay on the news and a real vulnerability here. I am not saying it might not exist, but as of this moment I do not see anyone able to run a Shell() command within your app, unless they have gotten to your app, which means they have gotten to your computer already. Also this has existed for a long time. Why now? I might be completely wrong however, and someone at Secunia knows something they are not sharing. I advise them to share any info as soon as possible. The reason I am a little pissed is because in my company I have thousands of Word and Excel documents with thousands of lines of VBA code. With news like this, I smell a panic meeting early in the morning tomorrow which might be nothing more than FUD from Secunia. Honestly I am at a point where I am having a hard time trusting anyone anymore. Hackers want to be my security gurus, OS makers rant and rave about their respective OSes and how secure and reliable they are(only to issue security patches soon after), whole campaigns asking people to boycot a product because of vulnerabilities and use X product, only to find out that X is vulnerable as well. If you look at the stack of firewalls and security appliances at my company, it looks like we're building the walls of damn Troy. I joke with the security guys about the kind of attack they are preparing against. There is hope of course.....but how long before it's too late?

    --

    The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
  18. I know you're a troll, but... by qtp · · Score: 3, Insightful

    I'm going to agree with you.

    This is not a flaw in Mozilla, nor is it a flaw in IE, Outlook, Word, or any other part of Microsoft Office.

    This flaw is a flaw in Windows, and is typical of flaws in Windows in that the OS is expecting it's applications to handle security, will run any peice of crap handed to it by any app, and we can expect to see more flaws that are similar in nature due to the heavily integrated design of the Windows operating system.

    --
    Read, L
  19. Re:Mozilla is Slow to Respond! by walt-sjc · · Score: 5, Insightful

    That's becaues it's NOT a bug in mozilla, it's a massive security hole in Windows. Mozilla finally decided to patch it for mozilla because MS was too damned lazy to fix it. As we now see, this massive windows hole affects other products too. Of course, NO other platform has this particular security hole (surprise surprise...)

    If your flash plugin had a security hole, would you expect Mozilla, Opera, IE, etc to filter certain access so that security hole could't be exploited?

    No, MS is responsible for the security of their own products.

  20. Re:Mozilla is Slow to Respond! by Gordonjcp · · Score: 4, Insightful

    It's nothing to do with the browser. Read the bug report. Find and read the relevant MSDN article, if you like. It is not even a bug in Windows. Windows does not pass the security information between partitions.

  21. Re:Mozilla is Slow to Respond! by shaitand · · Score: 3, Insightful

    The browser checks to see if it knows what to do with it, generally if it does, it blindly passes it to another application (plugin or whathaveyou), if not it blindly passes it to the OS which may or may not have a handler for that type.

    First there shouldn't even be a shell uri in the OS! Second, there is a vulnerability IN THE SHELL URI which escalates the priv level to that of the user.

    If Mozilla passed the data along and said, here ya go it's good stuff, completely trusted. That would be one thing, but mozilla passes it along and says I have no clue what this is or where it's coming from and have no reason to believe it safe in any fashion. You have any ideas?

    If it's the RIGHT data, then windows tells itself it was the current user and not some untrusted guy off the web who gave it that data. The bug is in windows!

    Hell the entire scheme or uri handling in windows is fscked up. There shouldn't be any uris which cause local execution!