Slashdot Mirror
MSN, Word Vulnerable To Shell: URI Exploit
LnxAddct writes "InfoWorld is reporting that a few Microsoft products are also vulnerable to the "shell:" scheme vulnerability found in Mozilla last week. These applications include Microsoft Word and MSN Messenger."
In windows you would just change the run as permission after creating a special user for this purpose, or maybe run it as Guest? I don't know what that problems would cause thou so be nice! :)
Mod me down im a newf (wiki)
Word has been vulnerable to some form of attack since it was created. Why is anyone surprised?
Professional Politicians are not the solution, they ARE the problem.
You've got it completely wrong. As discussed at length when "Mozilla exploit" was announced, this is clearly a Windows bug and not a Mozilla bug. This bug only exists on Windows 2000 and XP. Not on any other OS (Linux, Sun, AIX, Mac, etc.) The fact that Microsoft themselves have supposedly fixed this in XP SP2 tells you that even they think it's a bug.
Mozilla doesn't do what you claim it does. It doens't just see a "shell:" URI and execute it. In fact, Mozilla doesn't know anything about the "shell:" URI, just like Mozilla doesn't know about the "xyz:" URI. When Mozilla runs across a URI it can't handle itself (e.g. http or ftp) it asks the OS if there is an application registered to handle this type of URI. The OS says, "yes, please launch this application with these parameters", and Mozilla does so. This is no different than clicking on a Real audio stream link and having it launch the Real player for you...or a PDF link when you don't have the plugin installed, but you do have Acrobat Reader.
The real bug is that the application that's launched via the "shell:" protocol is the one not properly checking its parameters. Mozilla is just doing what the OS told it to do.