Firefox and IE Still Not Getting Along

juct writes "Heise describes a new demo showing how Firefox running under Windows XP SP2 can be abused to start applications. For this to work, however, Internet Explorer 7 needs to be installed. This severe security problem promises another round in the 'who-is-to-blame-war' between Mozilla and Microsoft. Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database. 'The authors of the demo note that there are many further examples of such vulnerabilities via registered URIs. What is so far visible is just "the tip of the iceberg". They state that registered URIs are tantamount to a remote gateway into your computer. To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"

No problem

IE is the better browser. Just use that one.

Re:No problem

[Marxist+Hacker+42]

Does anybody actually use alternative URIs other than http: file: https: mailto: and ftp:? I wasn't even aware that other ones were being registered!

Re:No problem

[erKURITA]

Sarcasm is dripping off your post :S

Re:No problem

[Chineseyes]

In windows no but in linux using kde fish:// is a godsend.

Re:No problem

[Lord+Crc]

Does anybody actually use alternative URIs other than http: file: https: mailto: and ftp:?

Personally I use news: a lot, MS HTML help uses ms-help:, and I've found the res: handy as well for some programs.

Re:No problem

[Beetle+B.]

irc: is useful for getting help.

Re:No problem

[X0563511]

A lot of games use them, as if you were ever going to launch a game and connect to a server from your web browser .

The unreal series uses them, I know that.

Re:No problem

http://en.wikipedia.org/wiki/URI_scheme#Official_I ANA-registered_schemes

Re:No problem

[wizzahd]

I know iTunes uses itpc:// for automagically opening rss feeds (and probably other stuff, too)..

Re:No problem

[bogado]

What does this url scheme does?

Re:No problem

[Mr.+Vage]

Yes, and they can be quite useful. steam:\\ can be used in a link so the user's game will automatically start up and connect to whatever IP follows the slashes.

Re:No problem

[Sledgy]

Tortoise SVN registers svn: which makes connecting to SVN repositories easier (mainly on our local network).

Re:No problem

[dwarfsoft]

svn:// is good. There are also some custom ones for a chat-game that I hang around in (well, for some of the plugins for the clients that is).

Re:No problem

What does this url scheme does?

It gives you completely transparent secure shell access to remote machines from any KDE application. For example, typing fish://username@hostname/ in any file dialog will access the machine hostname using the ssh protocol, allowing you to savely load and save files from/to other machines without copying them by hand first.

To summarize: it is wonderful, and you won't know how you could live without it once you get used to it.

Re:No problem

Allows remote access to files on machines running an SSH server, even if SFTP is disabled. If SFTP is enabled, you can also use sftp://. KDE also has protocol handlers for ftp, smb, webdav, and loads more. In all cases, you can just read files on the remote machine, even open them and edit them, as if they were local. So useful, and one of the (many) things I really miss when working on Windows or a Mac.

Re:No problem

[PenguSven]

It's the industry standard protocol used by Professional Fishermen and Giant Squid alike to catch salmon and tuna.

Re:No problem

[dna_(c)(tm)(r)]

There is some RFC published, I don't remember the year or number, but it was published on the first day of April

Obviously firefoxs fault

[SolusSD]

All the intertwined security problems HAVE to be caused by firefox, right? I mean-- Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

Re:Obviously firefoxs fault

It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input.

If I create a URL that manages to get Firefox to tell Windows to run a command, how is that Windows' fault? Firefox is the one that told Windows to execute the command, Windows just did what Firefox told it to do.

Re:Obviously firefoxs fault

[Selfbain]

So it was just following orders you're saying. I'm not sure that defense works.

Re:Obviously firefoxs fault

[jez9999]

Browser: "Feed that dog."
OS: *gets out gun and shoots dog dead*
Browser: "WTF? What did you do that for?"
OS: "You told me to."
Browser: "I told you to feed it!"
OS: "Yeah, I changed the definition of that yesterday to 'shoot dead'."

Re:Obviously firefoxs fault

[brunascle]

Firefox is the one that told Windows to execute the command

except, a URI with a scheme of mailto, nntp, news, or snews does not tell Windows to launch a command. it tells windows to open the application that handles that scheme and give the URI to that application. what the application does is up to the application. if calc is loaded, there's either a bug in Windows or the application that handles the scheme.

Re:Obviously firefoxs fault

[SolusSD]

executing a program is one thing-- allowing the installation and execution of a virus is another.Since most windows users run as admins it is enough just to gain some access to the user's account (maybe through firefox) to install malicious code. Of course, as the article suggests, the "bug" only exists when IE7 is installed.
also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to.

Re:Obviously firefoxs fault

[miffo.swe]

"It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input." According to your masters its the receiving application that should do the sanity check. There was a rather heated debate on this a while ago when it was IE who forwarded malicious URLS to Firefox. Also, Firefox told IE to open an URL for all it knows, not some random application. The error is in IE7 no matter how you spin it. Dont forget any application besides Firefox can forward this kinds of URLs to IE7. In short any application you use that connects to web pages is a threat to IE7.

Re:Obviously firefoxs fault

[Blakey+Rat]

Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

What makes you think there's any overlap in the IE team and the Windows team? Out of curiosity. I think people who say things like this don't realize how huge Microsoft is. They have something like 70,000+ employees.

Re:Obviously firefoxs fault

Oh please. You're wrong.

The Firefox bug was essentially that it was receiving URLs like "firefoxurl: -chrome javascript:alert('Oops.')" and then, instead of interpreting the URL as a URL it was interpreting it as a command line. This is clearly Firefox's fault - they configured IE to pass Firefox all URLs that start with "firefoxurl:", but neglected to tell IE that it should inform Firefox that it shouldn't emulate a UNIX shell when receiving the URL.

This is why almost all UNIX commands have that helpful "--" option, to suppress further option parsing. In fact, the Firefox fix was essentially to add that feature. They named it something braindead, but essentially they told IE that instead of executing "firefox.exe %s" it should execute "firefox.exe -- %s". Keep in mind that in Windows, the command line is not parsed, it's given directly to the command to parse as it wants.

Now contrast it with this case.

Firefox is giving URLs with INVALID CHARACTERS to Windows, and Windows is treating them as best it can, which can be exploited.

If Firefox were properly handling the URLs and not including invalid characters, this problem wouldn't be happening.

Re:Obviously firefoxs fault

[SolusSD]

it isn't too much to ask for an internal programming team to know how to correctly use APIs the company developed. It *is* pathetic when they make mistakes like this. Just because they are big doesn't mean they have an excuse to be unorganized-- though having that meany employees is usually a consequence of being unorganized, and for that matter, usually makes things worse.

Re:Obviously firefoxs fault

[Applekid]

Problem is that in windows "launch a command" and "open application referenced in the registry" need not be two different things. The default handler for mailto, for example, could be set in the registry to "shutdown -s -f -t 0"

Then again, if you open a mailto link and Malicious App 2.0 opens, you've ALREADY been compromised by Malicious App 1.0, already on your system, having modified your registry. With those kind of permissions, whatever payload Malicious App 2.0 has could have been done anyway by Malicious App 1.0.

Re:Obviously firefoxs fault

[mhall119]

Since the URL's have the same effect if they are launched from the Windows Start menu, and presumably from any application that passes URLs to Window's URL handler, I don't see how this is Firefox's fault. Combine that with the fact that the URL is valid (%00 is valid URL encoding), and the fact that the flaw only exists when IE7 is installed, and you have a very hard time blaming Firefox for this.

That said, I completely agree with you on the firefoxurl: flaw.

Re:Obviously firefoxs fault

[140Mandak262Jamuna]

Why should the browser be able to run privileged commands on the OS? Why should it have access to anything other than the cache directory?

Re:Obviously firefoxs fault

[Shados]

Im not quite sure you are aware of how much API microsoft developed... I don't think its humanly possible, honestly. And each of those APIs are quite large, and projects can touch quite a few. Learning 80% of the ones they're touching? Yes, definately. Learning 100%? Thats just not realistic.

Re:Obviously firefoxs fault

[TrebleMaker]

for example, could be set in the registry to "shutdown -s -f -t 0" Honestly, I read that as "shutdown -s -t -f -u" the first time.

Re:Obviously firefoxs fault

[man_of_mr_e]

Why should it have access to anything other than the cache directory?

So where should downloaded files go? In with all the other cache files?

Re:Obviously firefoxs fault

Let me tell you, this doesn't fly in the security world. It is not the programmers responsibility to sanity check the API inputs. The API inputs are supposed to properly handle poor or malformed inputs. In another note, this is only a problem where IE7 is installed. If you had IE6 installed this is not a problem, so HOW is this Firefox's fault again? It is just convenient that MS released a program that updated the API and it created a major issue in a competing product? I will believe this is coincidence when MS releases a patch, until then this looks intentional.

Re:Obviously firefoxs fault

[140Mandak262Jamuna]

download folder could be a sub folder of the cache folder. Without any execute privilege. If you download an executable that you really want to run, you should move it using file manager to another location with execute privilege and then run it. Painful? may be. Inconvenient? Definitely. But safe. Convenience should never trump safety.

If you leave your door open, the cable guy can come in anytime and fix your cable box. You dont have to house sit over that stupid four hour window. Would you do that? Then why people put up such great resistance to the idea that you must take action, not doable by the browser alone, to download and execute a file from the internet?

Re:Obviously firefoxs fault

[Spy+der+Mann]

Microsoft surely knows how to write applications using their own APIs on the operating system *they* developed.

If by "developing" you mean "IT'S ALIVE, IGOR!! IT'S ALIVE!!!", then, yes, I agree with you! :)

Re:Obviously firefoxs fault

[It'sYerMam]

Since the exploit allows arbitrary code execution, it should be pretty simple to, say, write a script to be executed by cmd.exe, which downloads malware and runs it.

Re:Obviously firefoxs fault

[gregorio]

Since the URL's have the same effect if they are launched from the Windows Start menu

Well, what if sending an "format" command to Firefox have the same effect as if it was launched from the Windows Start Menu? The thing is: browsers should NOT allow malicious commands to go past its sandbox. Just "passing" commands to a third party IS insecure behaviour.

Firefox users should not play the blame shifting game, but think that their loved product is responsible for the concept of "everything I click and do without authorising any additional actions on this browser should be secure". Yeah, IE7 received a command from a local app that alows bad stuff to be done? But a lot of local actions allows bad stuff to be done, it's the browser who should be controlling this kind of thing.

That's the same thing as Firefox exectuing a link with "C:\Windows\System32\whatever.exe". It's not "windows's fault for opening it", it's firefox's fault for sending the command.

A browser should NOT redirect commands to external apps unless the security boundaries of that operation are well defined and respected.

Re:Obviously firefoxs fault

[SolusSD]

Learn how to correctly use the functions of the parts of the API they're touching. YES. 100% is _not_ unrealistic.

Re:Obviously firefoxs fault

[errxn]

Wow, I had no idea that Michael Vick was an OS, too!

Re:Obviously firefoxs fault

[Hucko]

For this to work, however, Internet Explorer 7 needs to be installed.

This suggests that there is some funny business going on.

Re:Obviously firefoxs fault

I think it really hilights the difficulties of writing secure code for Windows if you aren't Microsoft. The Windows-specific vulnerabilities with Firefox are pretty much always either a vulnerability in the underlying operating system, a service running on that operating system (like IE7 in this case), or undocumented behaviour in some other component that causes a security risk. The first two are simply not fixable unless you're either Microsoft, or try to mitigate security vulnerabilities through layers of extra code (and you can't do that until after the security vulnerability has been found). Or just don't use any Windows APIs or services, but then you'll end up with a program that works poorly. The undocumented behaviour is simply impossible to even know about, much less fix.

Remember also that things like DEP are only applied to Windows services and Microsoft software. By default, Firefox will be executed with DEP off, as will any other third-party program.

Re:Obviously firefoxs fault

OK, mea culpa, I interpreted what they were saying as Firefox was passing null characters directly via a C API (which would cause the expected problems), but if that's not the case and it's in fact passing proper strings, that would be Windows' fault. From the article:

According to the Bugzilla entry for this problem, one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments. To defuse the problem, the Firefox developers want to prevent the opening of links containing null bytes (%00). I interpreted that as meaning that Firefox was actually sending the null bytes directly. But apparently they actually meant there's a problem with URLs containing the string "%00" and added the "links containing null bytes" to add confusion.

Re:Obviously firefoxs fault

[RealGrouchy]

also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to. That would require Windows to be an OS with balls...

- RG>

Re:Obviously firefoxs fault

[mhall119]

Firefox is passing a _VALID_ URL to the Window's URL handler, which is incorrectly parsing the URL. Firefox is not passing commands, Firefox is passing a URL, which Windows then runs as a command, instead of passing it as an argument to the program assigned to handle URLs of that scheme like it is supposed to (and like it does if you have IE 6 installed). This is a Microsoft flaw.

Re:Obviously firefoxs fault

[man_of_mr_e]

Convenience trumps safety all the time. If we brougth your argument to it's logical conslusion, nobody would ever leave their well fortified house. They'd all grow their own food, have their own way to reprocess waste, etc... Most people, however, need and maybe even like to leave their home and interact with people who could be dangerous or whatever.

There is always a balance between safety and convenience. Sometimes one or the other wins out, depending on priorities.

Re:Obviously firefoxs fault

[gregorio]

Firefox is passing a _VALID_ URL to the Window's URL handler, which is incorrectly parsing the URL.

Firefox is passing stuff from webpages directly to the operating system. That's bad design.

Firefox is not passing commands, Firefox is passing a URL, which Windows then runs as a command, instead of passing it as an argument to the program assigned to handle URLs of that scheme like it is supposed to (and like it does if you have IE 6 installed).

Firefox is calling the operating system with user-supplied data without checking if it's safe. That's stupid.

This is a Microsoft flaw.

Stop bashing Microsoft, loonie.

Re:Obviously firefoxs fault

[norton_I]

That is true, but that isn't what is happening here, according to the article.

According to the article, this happens when you click on a mailto: link with escaped null bytes in it, and instead of launching the registered mail client (i.e., outlook ), a command specified in the URI (calc.exe) is executed. This seems to work regardless of which URI scheme is used, and regardless of what the associated handler is. Sounds like a pretty cut-and-dry windows bug to me.

Re:Obviously firefoxs fault

[FST777]

Firefox is passing stuff from webpages directly to the operating system. That's bad design.

No, that's perfectly normal. That is what the URL handler is for. If I get a mms:\\ URI on a webpage, I want Firefox to open the correct mediaplayer, based on my system settings. On Windows, that means that any URI that Firefox itself can't handle should be passed to the OS. This is normal behaviour, not bad design.

Firefox is calling the operating system with user-supplied data without checking if it's safe. That's stupid.

What you try to imply here is that the Firefox devs should know about every single bug in every OS they code for, and make sure that nothing they send to the OS will trigger one of those bugs. Furthermore, if they fail to do so, it is their fault, not the OS'. Wow.

Stop bashing Microsoft, loonie.

I know I'm just feeding the troll, but: stop bashing Firefox, please. Thank you.

Re:Obviously firefoxs fault

[mvdwege]

And whose problem is this...?

Mart

Re:Obviously firefoxs fault

[Howserx]

Damn that's good. Next time I code something I'm gonna make sure that it uses those switches(in that order). I'll call the program "Please" just so I could tell the user "Please -s -t -f -u"

Re:Obviously firefoxs fault

Sounds like some one has some aggression issue. Maybe you need to shutdown -killyourdog now

Re:Obviously firefoxs fault

[juhaz]

Firefox is calling the operating system with user-supplied data without checking if it's safe. That's stupid. They DID check it was safe. It WAS safe. Microsoft then changed the behavior and now it's now longer safe.
Firefox is calling the operating system with user-supplied data without checking if it's safe. That's stupid.
And this is Firefox's fault?

Re:Obviously firefoxs fault

[juhaz]

It is Firefox's fault. They're invoking a Windows API directly without doing any sanity checking on the input. They are doing sanity checking. Microsoft just changed the API, without warning, and what used to be sane is no more.

If I create a URL that manages to get Firefox to tell Windows to run a command, how is that Windows' fault? Firefox is the one that told Windows to execute the command, Windows just did what Firefox told it to do. It's not, but that's not what happens here. You created a URL that tells Windows to run registered URL handler with given argument, and it did exactly that - until one night, Windows Update installed IE7, and now the same URL executes the argument instead of the url handler.

Re:Obviously firefoxs fault

[Blakey+Rat]

Please. As far as software quality goes, Microsoft is already way ahead of most companies. Have you ever used any Sony software? It's like sticking hot pins in your eyes. Or how about a HP printer driver utility? I'd rather jump into a swimming pool of broken glass. Hell, I just installed an EA game (recommended by a friend) that not only requires Admin access, but doesn't support 1680x1050 monitors... at all! I have to run my LCD panel at non-native resolution to even play it. (WTF, I'll name names. It's Battlefield: 2142.)

If it's a Microsoft application, you can at least be 90% sure it'll work with Fast User Switching, with limited-access user accounts, cope when you change color/theme settings, etc. The majority of the Windows software world will not.

Is it a problem that Microsoft software has bugs? Of course. Is Microsoft a "bad" software company? Not by a long shot. Most software is shit.

Re:Obviously firefoxs fault

[mhall119]

Firefox is passing stuff from webpages directly to the operating system. That's bad design. No, that is how it is supposed to work. You don't want Firefox mangling your URL before it passes it to the program you expect to assigned it. At most, Firefox should verify that the URL is valid, but this flaw uses VALID URLs, so even that wouldn't protect you.

Firefox is calling the operating system with user-supplied data without checking if it's safe. That's stupid. Firefox is passing a valid user-supplied URL string to Windows, to be passed on to another program. At this point, it is safe. Windows is turning around and allowing that URL to launch an arbitrary program instead of the program assigned to the URL's scheme, this is the part that is unsafe. Notice that this happens after Firefox is no longer involved.

Stop bashing Microsoft, loonie. Determining the root cause of a security flaw is "bashing" now? Would you rather leave the hole wide open and just say it's nobody's fault?

Re:Obviously firefoxs fault

[cecil_turtle]

Firefox is giving URLs with INVALID CHARACTERS to Windows, and Windows is treating them as best it can, which can be exploited.

Nonetheless, Firefox can fix their problem (which they will) but it doesn't make Windows any less vulnerable to the problem from other applications. And, as already pointed out, Microsoft needs to fix the problem because by their own definition (receiving application needs to verify input before doing something) they are responsible.

and Windows is treating them as best it can

No, Windows is not treating the invalid input as best it can. If it were, there would be no problem here.

The problem really does need to be fixed on both ends. Defense-in-depth and all of that.

Re:both of these browsers are gay

Lynx is a furry, though. Would you rather be gay or a furry?

Re:bug database

Mozilla is leading the race to a patch as they have a PATCH in their bugzilla database.

Re:bug database

[PinkPanther]

No, read the synopsis again:

Mozilla currently is leading the race for a patch, as they have one ready in their bugzilla database.

They are leading the race for a patch. They have one (PATCH) ready in their database.

Re:bug database

lurn to reed honi!

it sez mozilla's already got a PATCH darling...

I don't have IE7..

[the_rajah]

on my Ubuntu machine or my Mac, you insensitive clod!

Actually, I don't have it on my XP-Pro SP2 machine I use to run Quickbooks, either.

Re:I don't have IE7..

So you only use Windows for Quickbooks? Two words: Virtual Machine. I like VMWare Fusion on my Mac, myself.

Errr

[ilovegeorgebush]

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

What, sort, of, sentence, is, that?!

Re:Errr

Leave, him, alone,. He, has, comma, fetish,.

Re:Errr

[GreenEnvy22]

I believe that would be one from the William Shatner school of grammar.

Re:Errr

[snowgirl]

I thought that the sentence was generally unnecessary, also. Yes, geeks will understand it, yes slashdot is targetting geeks... but why should we be acting so damn pretencious?

Re:Errr

[camperdave]

I agree. It sounds like the users should be elucidating which URIs are superfluous, whereas it was probably intended that the author be the one doing the elucidating.

Re:Errr

[andawyr]

A perfect demonstration of the incorrect usage of the comma.

Re:Errr

[east+coast]

A perfect demonstration of the incorrect usage of the comma.

Absolutely, but it, could, be, wor,se.,, I, gues,s,.

Re:Errr

Did you REALLY find that hard to understand?

Re:Errr

If I had mod points, I would mod you funny for misspelling pretentious.

Re:Errr

Great gag. Mods are on lemons today it would seem.

Re:Errr

[snowgirl]

Eh... I'm not a pretentious person. I make mistakes, and I don't care about big words. :) It would be funny though.

Didn't work in seamonkey

[splatter]

Using XP sp2 with seamonkey 1.1.1 and none of the links worked.

No Microsoft Software has Bugs

[Cassini2]

Microsoft software does not have bugs. They have "undocumented features". It is a feature that Internet Explorer 7 works this way. When properly embraced, it extends the operating system with new features, and extinguishes all problems.

Be positive about these features!!! :-)

Re:No Microsoft Software has Bugs

nice try, i almost laughed..almost

!Root

[rustalot42684]

Maybe if they weren't running as root *all the time*, they wouldn't have so many problems.

Re:!Root

[Himring]

How is parent offtopic? Truly, the vast majority of security woes in Windows is due to the entirely asinine practice instituted by microsoft ages ago wherein root is assumed. This has created both the hallofshame for applications that cannot work without it, and a useless registry entry for anonymous network access wherein, if changed to anything but default (where anonymous access across the network is wide open) then things just stop working in windows networking -- tiny things like, you can no longer see other computer or change your password or get to shares on servers....

If only mod points went to only the really technical member of /.

reponsability

[brenddie]

The question of who is responsible for this vulnerability is again likely to be the subject of heated debate. In the previous cross browser vulnerability, Internet Explorer was passing crafted URLs to Firefox. In that case, the IE team denied all responsibility, stating that, "It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters." If this is the case, then it would be Microsoft rather than Mozilla who find themselves forced to make the next move in remedying the unsafe behaviour.

At least the firefox team is not crossing their arms and shifting the blame back to IE, they are actually doing something to help solve the problem.

Didn't work for me...

[supremebob]

I tried this on my computer, and the mailto: tag ended up getting redirected to my GMail account. Thanks, Google Toolbar!

Once again, Google saves the day! Is there nothing that Google can't do? :)

Re:Didn't work for me...

[ZachMG]

this isn't anything new, in my webdesign class we were taught this out of a text book to "integrate our sites" into the users experience. Seriously.

Re:Didn't work for me...

Google cannot pity foo's as well as Mr T, and cannot roundhouse kick like Chuck Norris.

Re:Didn't work for me...

Is there nothing that Google can't do? :)

Alas, it can't get me laid =(

Re:Didn't work for me...

[supremebob]

Didn't try Googling "Bunny Ranch" yet, eh? :)

Maybe worth noting...

[WhiteKnight07]

Only the one at the very bottom, listed as requiring user interaction, functions in Seamokey and succeeds in launching windows calculator. The mailto: one starts Seamonkey's mail and newsgroups. All the others just bring up an address not found error page.

Re:Maybe worth noting...

[Peter+Mork]

And none of the links are a problem in Opera.

well..

[spotlight2k3]

If using firefox, is there really a need to have ie7 installed anyway?

Re:well..

[supremebob]

If you're a Windows Vista user, you don't really have a choice. It comes pre-installed if you want it or not.

Re:well..

[moore.dustin]

Yes. It is nice to be able to keep some tabs open overnight and not have to force quit FF to free up the memory and start a new session. I do not know about you, but a 900MB memory footprint after 2 days seems... well it seems just a tad excessive.

Re:well..

[Embedded2004]

Yeah I use FF exclusively and the need to restart the browser daily does get annoying.

Sometimes it is either a memory hog or somehow gets stuck on 99% CPU usage.

Re:well..

[spotlight2k3]

Really? I have my FF up for at least a week most times before i restart it and usually my kid does that by hitting the reset button (3 yr old). Never have had a memory problem.

Re:well..

It's kind of like outlawing abortion. You had your choice already, and you chose to have sex with Microsoft and install Vista in the first place.

Re:well..

[Embedded2004]

Yeah. This happens on all 7-10 desktops and laptops I've used over the past 2 years.

Re:well..

[cbhacking]

In the testing I've done with this (Vista x86 Ultimate Edition, UAC and Protected Mode enabled, fully patched IE7 and Firefox, both used actively... though I'm actually posting from openSuse in Knoqueror at present) it doesn't even work in Vista. Neither did the firefoxurl: handler attack. I wonder of the difference is in how Vista handles URIs, or the different permission levels, or something else... in any case, from my experience, Vista users are safer than XP users here (which is as it should be, after all).

So the solution

[piratesyarr]

is to uninstall IE7? That's easy. I never installed it in the first place.

Perfectly Fine

[cromar]

A sentence with several phrases separated by a profusion of commas - and one hyphen :)

Yea, pretty much.

[SatanicPuppy]

Worst sentence I've read in a while, and during lunch I had to listen to a friend copyediting some weenie who routinely left out the verbs in his sentences.

Elucidate and superfluous are dross from a word of the day calendar; the english major equivalent of e-penis. Three seperate comma seperated subclauses in the sentence. Overuse of the passive voice. The use of an uncommon acronym (URI) can perhaps be forgiven since it's Slashdot. Hyphens are hard to use well, and should NOT be used unless you know exactly what you're doing.

How about this: "In the author's opinion, users should deregister all unnecessary URIs. He does not, however, give instructions on how to do so."

Re:Yea, pretty much.

[__aaabsi3154]

Ironic, then, that you would use dross in your response. Isn't it a rarely used word as well? Or were you just flexing your e-penis?

Re:Yea, pretty much.

[SatanicPuppy]

Actually I was being ironic on purpose. I guess I feel like I have to prove that I'm not against their word choice simply because their bombastic verbiage outstrips my linguistic comprehension, but rather because their grandiloquent ostentation obfuscates their actual meaning. (---E-penis +10 bitches! ;)

Never understood the obsession with big words. The point is to be understood, right? There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.

Re:Yea, pretty much.

How about this: "In the author's opinion, users should deregister all unnecessary URIs. He does not, however, give instructions on how to do so."

Better yet: "The author suggests removing unnecessary resource handlers, but he doesn't say which ones are unnecessary."

Re:Yea, pretty much.

[SatanicPuppy]

Oooo yea, that's better. Killed the passive "In the authors opinion." Not even sure "deregister" is a word, killed the annoying acronym, and the "however" crap is a weakness of mine.

Re:Yea, pretty much.

[ShieldW0lf]

How about this?

Some of us have a vocabulary.

We use more unusual words because they more precisely express what we're trying to communicate.

We don't think "What's a smarter-sounding word for 'clearly explain'?". We think "elucidate".

We actually think in these "big words" because we thoroughly understand them and they express what we're trying to say.

Why don't you grab a dictionary and educate yourself instead of throwing stones at your betters and revealing that you don't belong among them?

Re:Yea, pretty much.

Three seperate comma seperated subclauses in the sentence.

Teehee.

Re:Yea, pretty much.

[Control+Group]

Hyphens are easy to use well, as in "short-sighted," or (not often applicable online) when a word will not fit on the current line.

Em dashes (or em rules, depending on to whom you're speaking) are indeed a little trickier, but they aren't exactly NP-hard. The em dash can be thought of as a pause in the sentence, stronger than a comma, but weaker than a parentheses. One wouldn't be far off base thinking of it as similar to a colon - though the two aren't perfectly interchangeable, of course.

Frankly, I don't see a problem with the use of the em dash in the submission.

On the other hand, you're right about the overall quality of the submission. "Elucidate" is far from a necessary word choice; one could even argue it's not even the right word to begin with. The ambiguous predicate clause, which seems to say the users shouldn't elucidate which are superfluous is very poorly written.

Your suggestion is much better, except that it should be: "In the authors' opinion, users should deregister all unnecessary URIs. They do not, however, give instructions on how to do so."

(By preference, I would have kept it as one sentence separated by a semicolon, but I have an illicit love affair with sentences that are too complex; I have a peculiar weakness for the semicolon in particular)

Re:Yea, pretty much.

[SatanicPuppy]

I don't feel a need to use my vocabulary as a bludgeon against people who I believe to be intellectually inferior to myself. When I string words together, I'm not just talking to my linguistic equals, I'm talking to anyone who may happen to read what I've written.

I do this because my goal is to convey information clearly, to elucidate, as it were. It is in no way my intention to cloud my point with words that most English speakers won't clearly understand, not to mention all the people here whose primary language is not English.

If you think a huge vocabulary is a sign of intelligence, you're wrong. It's merely a sign that you have a large vocabulary. It may make you better at Crosswords and Scrabble, but that's about it. By constantly using a word like "elucidate" when you could as easily say "conveys clearly" or even, in this case, using the word "say."

A sentence like the one in the summary would be unacceptable in any job where clear, meaningful writing was required. It's also ugly, so it's hardly suited to more artistic writing. So what exactly is the point of crafting such a piece of impenetrable prose? Self-aggrandizement, and nothing more.

Re:Yea, pretty much.

[Mattwolf7]

"But do not use semicolons. They are transvestite hermaphrodites, standing for absolutely nothing. All they do is show you've been to college." -KV

Re:Yea, pretty much.

[SatanicPuppy]

As far as I'm concerned the AC above won the thread with: "The author suggests removing unnecessary resource handlers, but he doesn't say which ones are unnecessary." Short, active voice, very clear.

Agreed on the "-"; it was actually used in a valid way, but the sentence was moving into run-on territory, and needed to be stopped (As you can see, I love the ";" as well).

The word choice was by far the biggest problem, in my opinion. The desire to use a fancy word should never overcome the need to be understood...Unless you're James Joyce, or Thomas Pynchon, where being understood isn't the point.

Re:Yea, pretty much.

[cromar]

Semicolons are TOTALLY sweet; they are AWESOME.

Re:Yea, pretty much.

[stonecypher]

There are times when it is more elegant to use the word that has the exact nuance of meaning that you're trying to convey, but for the most part it's a lot more effective to use a word that everyone will understand.

Yeah, because if there's one thing that makes language easier to understand, it's changing your usage of a word depending on to whom you speak. Did it occur to you that the root of the problem is your fix? The only reason these people don't know these words is because other people around them are wrapped up in the fantasy that language is defined by usage, and that therefore it is somehow correct to be incorrect.

If you'd just speak formally _all_ the time, that'd be one less source of confusion for the unwashed masses. It turns out these things aren't inbuilt; they have to be learned from exposure. By denying exposure in the desperation to be understandable, you rob them of the chance of understanding in the long term.

Re:Yea, pretty much.

[SatanicPuppy]

I don't think it's "dumbing down" to try and convey your idea in a form that will be understood by the majority of people...That's the goal, right? I don't have to shoehorn in a big word if I can convey the same idea with two more common words. The worst is when the larger word is actually less appropriate to your meaning than the smaller word (as in the summary), so you're actually warping your idea just so you can use a big word.

In a situation where there really is one word that really conveys the exact meaning, and there is no other word that will do in that situation, you've got to use the big word.

But that doesn't happen very often.

Re:Yea, pretty much.

[stonecypher]

Oh, I may have misunderstood. When I responded, I thought you were taking the line that some people take with regards to commonly misunderstood words - my personal pet peeve example being irony, wherein one is somehow excused from being correct with regards to the meaning of the word, on basis that the communicated value - expecting the other side to misunderstand the word in a specific fashion - would be superior. Given that it now seems that you are advocating eschewing large words except when nessecary, I tend actually to agree with you strongly.

My apologies; I misread what you were saying.

Re:Yea, pretty much.

[SatanicPuppy]

No worries. I didn't express myself as well as I would have liked...I'm pretty good with using the more common word, unfortunately I tend to use three when I should only use two, or none at all.

Re:Yea, pretty much.

Hey genius, maybe the problem is that the density of the 50-cent words was too high and that it made the sentence cumbersome and pretentious?

Naw, you just go tell 'em, I'm sure everyone you talk to that way is set straight by the awesome force of your insignts.

Re:Yea, pretty much.

[jacksonj04]

I find it ironic that you didn't mention Alanis Morissette in... your...

Dammit, this butchering the language thing is harder than it looks isn't it?

Re:Yea, pretty much.

[ShieldW0lf]

Personally, I regularly mispronounce words because I've read them a million times and they're what comes to my head when I try to communicate my thoughts, but I've never heard anyone actually use them. It happens at least a couple times a week.

Does a poor vocabulary mean you have a weak intellect?

Not necessarily.

Does it mean you have poor communication skills, that you depend more on other peoples ability to guess the "gist" of what you're saying, that you are crippled when you try to communicate in the written medium where you don't have access to body language?

Yes. That is precisely what it means.

Re:LOL

As firefox begins to suck more and more, it becomes Microsoft's fault. There's only so much an application can do to stop the underlying OS from sucking.

Not just Firefox.

[miffo.swe]

Just about any application can forward malicious data to IE7. Microsoft can blame Firefox all they want but the hole will still exist in IE7 after having been patched by the Mozilla org. I repeat, the hole is accessible from any application connecting to the internet, not just firefox. IE6 does not have this security issue so its safe to assume the fault lies with Microsoft. Last time when the roles was the other way around, when Firefox passed malicious things onto IE Microsoft said the receiving application was at fault because it should check if it could handle what it received. Well, this time thats just how it is, IE7 does not check what it receive at all. In short, IE7 is unsafer in this case than IE6 was and the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).

Re:Not just Firefox.

[KiltedKnight]

Based on what is said in TFA, if you pass the specially crafted URI into the Start->Run box, it will produce the same results.

This indicates that the problem is in Windows' parsing of URIs... as stated in the article. It's the handling of the NULL (%00) byte.

This has absolutely nothing to do with Firefox, but kudos to the Mozilla developers for trying to block the opening of null-byted URIs.

Re:Not just Firefox.

[Keeper]

Really? So you're saying that IE7 should parse and sanitize input for an unknown/undefined URI? How would you propose that be done? Wouldn't that be something that, say, the URI handler ought to do? You know, the thing that actually knows what the URI is and what content it should have? Nah, easier just to say it's IE's fault...

Re:Not just Firefox.

[Keeper]

It doesn't have squat to do with null bytes (you don't need a null byte in the URI to trigger an exploit); it has to do with how Firefox specifyies its URI handler and how it parses command line input.

Re:Not just Firefox.

[griffjon]

as stated in the article. It's the handling of the NULL (%00) byte.

At the risk of abusing a double negative, Windows can't even do nothin' right.

Re:Not just Firefox.

[KiltedKnight]

I suggest you go back and read the article.

If you prefer the Readers' Digest version with your helping of crow:

Installing IE 7 clearly changes the way Windows processes URIs. This is clearly illustrated by what happens if you pass the "bad" link directly to the Windows shell via the "Run" option in the Start menu. With IE6 installed, Outlook Express is launched, with IE7, cmd.exe and the calculator.

And

According to the Bugzilla entry for this problem, one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

Re:Not just Firefox.

[brunascle]

yes, it is the null byte. go ahead, try it yourself in Start->Run (just did myself). take the mailto link from here (lameness filter wont let me put it here): http://xs-sniper.com/blog/remote-command-exec-fire fox-2005/
then try the same URI without the 2 null bytes.

Re:Not just Firefox.

[nickyj]

Guess Outlook has the same bug if you make an HTML email with that type of malicious link no?

Re:Not just Firefox.

[Tim+C]

the fault does according to previous statements from Microsoft no lie in the sending application (Firefox) but in the receiver (Internet Explorer 7).

This touches on what is quite possibly the most basic lesson every single programmer should learn - your application absolutely must not trust data from uncontrolled sources. In fact, trusting data from trustworthy sources is a bad idea, as those sources may be tampered with or otherwise corrupted.

Always, always check your inputs!

Never mind what MS did or did not say, I am increasingly of the opinion that any half-way experienced programmer who doesn't realise the danger of accepting arbitrary input from arbitrary sources and trusting it to be safe shouldn't be in the job.

Re:Not just Firefox.

Really? So you're saying that IE7 should parse and sanitize input for an unknown/undefined URI? How would you propose that be done? Wouldn't that be something that, say, the URI handler ought to do? You know, the thing that actually knows what the URI is and what content it should have? Nah, easier just to say it's IE's fault... You really should refrain from talking unless you understand even the slightest bit about what this is.

The problem is not that IE7 should parse and sanitize input, the problem is that it DOES parse it and that parsing has a bug that triggers this vulnerability.

Obviously, the handler ought to sanitize it's own input, but get this, THIS HAPPENS BEFORE THE URI HANDLER, because IE is part of windows and functions as a middle man between the browser and the actual URI handler, and it is during this middle phase that things go awry.

Firefox?

I use to keep that installed to look for page consistency issues when doing some minor web design. But no more! That Firefox crapware is coming off today!

Survey says - "All of them"?

[pla]

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.

I can answer that one for ya - Everything that FireFox doesn't handle internally; So basically, kill everything except "http", "https", and "ftp".

If you want to send email, open your email program and paste the address in. If you want to read newsgroups, open your newsreader and select the desired group. If you want to use some specialized protocol that requires a dedicated app anyway (like many P2P URIs), open them in the appropriate program.

Your web browser should not serve as a no-click interface to every network-enabled app on your machine. Period.

Re:Survey says - "All of them"?

I disagree with you. It's clearly becoming more and more true that the browser is the OS. Firefox should have more sanity checking on URLs, and I'm glad they're putting it in there. And MS should certainly live up to what they said about receiving applications and fix IE.

Kinda cool

[d3ac0n]

Actually, while incredibly insecure, it is kinda cool to be able to slap in any program path in that malformed string and open any program.

For example, try this one if you have EVE installed on your PC: (You will have to copy-paste it as the Slashdot filter prevents the links from working.)

snews:%00%00../../../../../../windows/system32/cmd ".exe../../../../../../../../Program Files/CCP/EVE/eve.exe " - " blah.bat

Re:Kinda cool

[Cajunator]

(You will have to copy-paste it as the Slashdot filter prevents the links from working.) Yea! Slashdot is my new proxy for malicious hyperlink protection!!

Re:bug database

I thought all Primus fans were somewhat educated readers...

Re:both of these browsers are gay

[fr4nk]

I use the modem that is built into my brain for browsing the web. I call my ISP's dial-up number with a phone, receive data with my ears and send packets through my mouth.

Just like that robot chick from Terminator!

Microsoft's fault, yet again.

[Zekasu]

Clearly, the fault lies in Microsoft's IE7. Why? The problem comes from IE7, not Firefox. I don't know, but the last time I checked, Internet Explorer was integrated into the Windows Shell, laying room for much potential harm.

My point being? If you have the plugin installed that allows Firefox to utilize ActiveX by running and instance of Internet Explorer in it, and someone has an ActiveX exploit on their page, which browser is liable to fix the vulnerability? Internet Explorer, obviously. Will they do it in a timely manner? Most likely not.

and so on and so forth

[twitter]

and the problem does not exits for Firefox before "upgrading" to IE 7 or on other platforms because M$ has yet to force sane user and privilege separation and on and on. Is there any way this could be anything but a M$ problem?

XP too.

[twitter]

Is there any way to avoid IE7 if you are an XP user? I thought it was a forced "update" that had to be installed, unless you are a big company with your own special hell of updates and patches.

Re:XP too.

Just make sure you don't have auto updates set to auto download and auto install. You can then choose to not install IE7.

Re:XP too.

[Gr8Apes]

Try Control Panel->Administrative Tools->Services->Automatic Updates, right click, press the Stop button if it's enabled, and then set the Startup Type to Disabled.

One of the first things I do with a new Windows box.

Re:bug database

[Alwin+Henseler]

Unfortunately it doesn't fix the real problem, only makes FF work around it. Other applications could have the same issue on affected systems. According to TFA:

(..) one reason for the new vulnerability is that Windows XP interprets the string %00 incorrectly. As a result, instead of the URL protocol handler, the FileType handler is called with the complete URL, via which it is then possible to call further programs with arbitrary arguments.

If this is true, it is the URL protocol handler that needs a patch (or whatever replaces/modifies its behaviour when IE7 is installed).

One more reason I prefer Open Source software: If you're a developer and run into a problem like this, then besides work around it in your application, you also have the option to fix the actual problem (in this case, the OS component that handles URL's). Next to impossible on a closed source OS.

Solution: DON'T INSTALL IE7

[Filter]

Solution: DON'T INSTALL IE7

IE7 is safer than Firefox.

IE7 is safe - clicking on test links brings nothing.

Imho, ie7 is must safer than firefox:
Try http://bad.on.nimp.org/ [WARNING: hard porno content] - it's kind of a joke page...
It tries to launch irc/mail/video/etc.
On ie7 (security settings set to High, js enabled) - nothing happens. Just one photo+security warning.

Firefox launches video player, irc, and crashes (this is something like forkbomb...).
To view page without 'suprise' you have to switch js off.

Warning - this 'works' even on firefox on linux.

So maybe it's rather firefox's security problem?...

Not the end of the story

[ImaLamer]

Don't worry you can easily remove IE7 from Vista:

1. Download an Ubuntu Live CD
2. Install Ubuntu
3. ....
4. Profit!

After receiving a new laptop with Vista I found that it could take up to five minutes for the machine to be usable from a cold start. It is the first time I've used Linux for anything other than serving up web pages (or other network service) and I'm in love all over again.

Re:Not the end of the story

[KarmaMB84]

The theory is that you can either hibernate or standby the machine and bring it up lightning fast. Hibernate actually shuts the entire machine off and restores when you boot it back up so until the machine starts acting wonky and needs an OS restart, there's no reason to do a full shutdown.

Re:Not the end of the story

[ImaLamer]

AHA! You see that's where you are wrong. The hibernate feature works, sure, but the system still takes a lot of time to start and even worse is rarely stable.

I tried it many times, usually it made me restart the machine, which just took more time. Don't get me wrong, I love XP and 2000 for their speed and *gasp* their stability (I've had an XP install going for just over four years... hosting webpages with Apache), but Vista just needs too much power to run. Throw in games or even a running notepad.exe and the machine is thrashing.

Simply: A brand new PC should not need a RAM upgrade when it is removed from the box. I'm usually pretty happy with Windows, but now I'm somewhat pissed.

If IE7 is to blame, why isn't IE7 vulnerable?

[StonyUK]

If IE7 is to blame, then how come it isn't vulnerable to such malformed URIs? Presumably it already checks for these 0x00 characters, whereas FF didn't until 3.0a7.

Re:If IE7 is to blame, why isn't IE7 vulnerable?

[TheNicestGuy]

Because technically it's not IE7 that's broken and allowing the exploit. It's Windows' routines that route and execute arbitrary protocol requests. It goes like this:

User clicks an email link, which starts with "mailto:" instead of "http:".
Firefox sees "mailto:" and realizes it's not a protocol it's designed to handle.
Firefox says, "Hey, Windows, I don't know what to do with a mailto: request. You handle it."
Windows compares the mailto: to its list of registered handlers, decides that Outlook Express is the application the user really wants, and launches it.

The bug, however, is that corrupting the part after mailto: with null characters causes that last step to malfunction and blithely pass the remainder of the request directly to the Windows shell, not Outlook Express, allowing it to do pretty much anything the user is allowed to. Two things should be clear here. First, that it's not really Firefox's fault. Invalidating or truncating the link if it contains null characters is certainly a good idea, but that doesn't mean that Windows' bug is justified. As has been pointed out, the bug would still be a problem for any other application that passes requests to the protocol handler.

The second thing is the answer to your question. Notice that Internet Explorer was not involved in this exchange at all. Even if it were registered as one of the protocol handlers it would be irrelevant, as the bug prevents the real handler from ever being launched. The reason IE7 is dragged into this is because something about the protocol handling routines changes when you install it, such that the exploit is not possible before and is possible after.

So it's a bug in the IE7 installation, not really IE7 itself.

Re:If IE7 is to blame, why isn't IE7 vulnerable?

[Todd+Knarr]

Because it isn't IE7 that's being exploited. It's the part of Windows that matches URIs to programs to open them via registry entries. IE7 comes into it because those routines in Windows are really part of IE (remember that IE's an integral part of Windows). When you install IE7, you install a new system library with new implementations of those routines that replace the ones from IE6, and said new implementations contain the bug that's being exploited.

This is also a good illustration of why making core parts of your OS part of the browser is a bad idea.

First time?

[Futurepower(R)]

IE 7, new software from Microsoft, just happens to cause problems with other software that competes with Microsoft.

Has that ever happened before?

Possible Workaround

[BlakeReid]

FTA:

The latest version of the Firefox extension NoScript also filters URLs that are passed to external handlers. Once installed, at least the demo exploits only open empty windows, while for example normal mailto:-URLs still work.

Looks like http://noscript.net/ will cover you if you're looking for a temporary fix.

Re:Possible Workaround

[rapidweather]

I tried NoScript with Firefox in my knoppix remaster. Had to take it out, too much trouble to use Firefox with the NoScript extension, for the average user. Does work, however, and if you are enough of a geek, you'll get used to it. I doubt NoScript is needed with a livecd linux, but would be useful for Windows. Would turn the tables on "desktop adoption".
A linux desktop with Firefox such as I provide in the Remaster, is much easier to live with for non-techie users, compared to a Windows desktop with Firefox/NoScript.

Rapidweather

Re:bug database

....so I think right there it's proven that it's IE's fault.

Firefox FTW!

Re:bug database

[Bill,+Shooter+of+Bul]

Same difference. I'm sure microsoft is also looking into the problem. Being who they are and what they do, they don't usually allow people to monitor the progress of their security fixes. I'm not mozilla won't be the first to patch, but its sort of like trying to decide if the red snapper is better than what ever is in the box that Hiro-San is bringing down the aisle right now.

Sounds like what I did on a mac

In college they had a computer lab of OSX machines that was locked down from using the terminal and other applications. I fired up firefox (because I am not too fond of Safari) and did telnet:// and it just opened up the terminal. Same thing happened with ichat, which was installed but I couldn't run it from the desktop. ichat://.

Thanks Mac-Firefox :-)

Doesn't work

[The+MAZZTer]

...if you install Firefox on a non-C: drive, like me.

Because it OPENS them.

Without FireFox, any other program you click on an evil link (that doesn't specifically scan for links harmful to IE) would exploit this.

In other words, if you remove FireFox from the picture, you'd still have a security hole.

Besides, Microsoft said that the firefoxurl flaw was all FireFox's fault last time (and FireFox already fixed it). It'd be kinda odd to have the tables turned and claim that it's STILL FireFox's fault.

Severe security problem

[ingo23]

From the article:

...however, Internet Explorer 7 needs to be installed. This severe security problem promises another round... Indeed. I wonder if Spybot database is updated to include that one.

A simple solution... WAKE UP!

[Torodung]

Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?

A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.

A machine is only as secure as it's user is wise.

Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.

And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.

No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."

And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.

And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.

Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.

--
Toro

Re:A simple solution... WAKE UP!

[xssniper]

It's great to know that you FULLY understand the security implication of this issue. If everyone was like you we would all be SO MUCH SAFER!!

The Proof of Concepts I provided are exactly that... PROOF OF CONCEPT! In my examples, I purposely place the exploit behind a link, so that you know and control whats coming. I could have easily placed the payload in a "body onload" tag and you would have just been hit with it... no user interaction required.

To make matters worse, when you combine something like this with Cross Site Scripting or Cross Site Request Forgery you can force another domain to send the payload for you... I've been in the security realm for some time now... but HEY... what do I know... it seems that you have it all figured out... Remote Command Execution with no user interaction via Firefox is no big deal... its just FUD...

Re:A simple solution... WAKE UP!

[Mazin07]

Let me just saw... wow. What are you smoking?

First of all, nowhere in the heise article was Windows Mail mentioned. The article did not blame Mozilla; in fact, it was very balanced as far as Internet articles go.

Secondly, how often do you look at the target of a link? Most of the time, I reasonably expect a link to go to a certain page and I just assume it does.

Third, I tested the exploit on Links on Cygwin, and it does not work. Links does not know what to use for mailto, and for nntp: and the others, it will actually request it from the server, resulting in 404s.

Fourth, the fact that it can actually launch local executables should set off huge alarm bells. It was clearly mentioned that commands could be injected into the command line. "Format c:" anybody?

Even if that was untrue, it is still very dangerous. There are many executables that could basically brick a user's computer. My S3 graphics drivers came with a program that, if run by the user, will make the video output unusable. My sound driver uninstaller was one-click, non-interactive, and instant. Is this stuff harmful? Many viruses and trojans just mess up a person's computer.

You imply that anybody smart enough to use Firefox wouldn't have IE7. I use Firefox, but I still have IE7 (on WinXP, no less). As a web developer, it helps to test sites on both IE and Firefox. Many people also upgrade to try the new IE out or to try making their system more secure (how ironic).

Dude, whatever it is you're smoking, it's making you hallucinate FUD.

Re:A simple solution... WAKE UP!

[stonertom]

Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.
Haven't got an XP box to test this on, but what if you redirected the user to the URI? (like with header(Refresh 2; URL=mailto:%00%00../../blah blah blah);)

Re:A simple solution... WAKE UP!

[jmv]

Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.

Not that simple. Many browsers allow the remote site to change the string in the status bar by default (that's the first thing I disable). Until browsers show you the real destination by default, you can't expect people to notice the malformed mailto:

Re:A simple solution... WAKE UP!

[Torodung]

To make matters worse, when you combine something like this with Cross Site Scripting or Cross Site Request Forgery you can force another domain to send the payload for you... I've been in the security realm for some time now. Well then, it seems to me that that would be your PROOF OF CONCEPT, and you should have the resources and the ability to produce one. Right now, all you've proven is that you can launch a standard program (calc.exe), on a standard path, with a malformed URI that would produce immediate and visible results that would alert the user to a problem.

When you can launch arbitrary code silently, without any user interaction save browsing the page, THEN you have a PROOF OF CONCEPT.

Right now, you have unhelpful FUD (because you failed to define which URI's you deem "unnecessary") but have found an annoying flaw in Windows Mail that Microsoft should fix.

Thank you for revealing this problem with the way Microsoft Vista technologies handle URIs.

--
Toro

Re:A simple solution... WAKE UP!

[Torodung]

Good point. Maybe it's high time browsers did that. Is there a Firefox extension that will show you the href argument in a tooltip? I don't code, but I would love to have that.

--
Toro

Re:A simple solution... WAKE UP!

[jmv]

It's in the javascript options (whether you allow javascript to change the toolbar). I just disable that and see the links properly (or course the js ones look odd).

Re:A simple solution... WAKE UP!

[Torodung]

Fine, you think I'm hallucinating? Here's what Daniel Veditz has to say on Bugzilla:

On Windows XP some urls for "web" protocols that contain %00 launch the wrong
handler and appear to be able to launch local programs, with limited argument
passing. It is not yet clear that this can be used to compromise a machine but
we can always fear the worst.

The same behavior is observed using "Run" from the Windows Start menu for the
affected protocols (http, https, ftp, gopher, telnet, mailto, news, snews,
nttp, possibly others?). (emph. added) The reason I call FUD is not because the remote launching of executables is false or benign, it's because the reasoning pegging it as a Firefox flaw is spurious and because, IMHO, the severity of this exploit is badly hyped. Mozilla's folks say system compromise potential is unclear. "Fearing the worst" is what security professionals do, but dire speculations are hardly reality.

Stop and think. If you can produce this effect from the Windows command line with Firefox closed, the problem is clearly not with a program that is not executing. It's in the way Windows Vista technologies (a.k.a.: the IE7 suite) handles URI calls containing %00 in the argument.

It isn't a Firefox exploit, it's a hole in the OS. All Firefox did was pass the argument to the OS according to spec.

Worse yet, if IE 7 itself doesn't produce the same problem, and I'll assume it doesn't as the article doesn't mention a problem with IE, it's seems likely it's because Microsoft knew about the %00 "feature" and hard coded around the exploit. In that case, whether they failed to mention the problem to other developers out of arrogance, insular culture, or outright malice is anyone's guess.

Why they left this "feature" in their operating system in the first place is beyond me.

So Firefox shouldn't even be mentioned. That's the FUD. This should be labeled a Windows OS (or IE7) security issue and patched no later than next super Tuesday.

The only reason Firefox is mentioned at all is because Microsoft is gunning for them, possibly by leaving time-bombs in their own operating system.

--
Toro

Re:both of these browsers are gay

[Yfrwlf]

How about both? ^^

Lynx is still secure! *whew*

[Torodung]

As a follow up, I actually tried to make Lynx pass the puked URI to Windows and it wouldn't do it. It has it's own handlers. Security through "stone knives and bearskins" still works. ;^)

--
Toro

Re:bug database

[Yfrwlf]

Woohooooooo! Tho Opera is still faster. =/ I'm curious to know what causes the performance difference between the two.

Code for the patch

[Lost+Penguin]

Set WshShell = WScript.CreateObject("WScript.Shell")
intReturn = WshShell.Run("del c:\windows\iexplore.exe")
WshShell.Popup "Windows is now secure."

Re:bug database

[TheSeer2]

Opera is faster without a doubt, the only problem is it's plain clunky. Poor layout (without the option of changing it [atleast the way I want]) of bookmarks, history and just layout things that make it a lesser browsing experience. Except for the speed.

its worth noting

that in all of these "cross browser" exploits, it requires firefox to be installed on the windows platform when the windows platform already has a web browser. I think the "fix" should be obvious here.

Re:its worth noting

[Cyrom]

Ya its obvious but Microsoft makes it impossible to uninstall ie.

Re:its worth noting

[Headcase88]

I dare you to try to make an OS that isn't strongly integrated with / dependent on an internet browser. It's as hard as making a toaster that can't wash dishes, but can somehow still toast bread.

use a word that everyone will understand

[Anomalyst]

It looked like a perfectly cromulent summary to me.

Re:use a word that everyone will understand

[grolschie]

It looked like a perfectly cromulent summary to me.
I really feel embiggened now. :-)

You're almost right

[DrSkwid]

RTFM losers :

http://msdn2.microsoft.com/en-us/library/aa767914. aspx

Security Alert
Applications handling URL protocols must be robust in the face of malicious data. Because handler applications receive data from untrusted sources, the URL and other parameter values passed to the application may contain malicious data attempting to exploit the handling application. For this reason, handling applications that could initiate unwanted actions based on external data must first confirm those actions with the user.
Note In addition, handling applications should robustly handle URLs that are overly long or contain unexpected (or undesirable) character sequences. For more information, please see Writing Secure Code World Wide Web link.

Re:bug database

Amen, brother.

I run QuickBooks on my mac.

[ModernGeek]

I run quickbooks on my mac, I like it better than the windows version.

Unregister URIs

[asCii88]

So how is it suposed to be done?

Re:bug database

[Trillan]

What's in the box, what's in the box!

Slashdot Linux posters...

[fat_mike]

are like the fat kid on the playground who didn't get picked for kickball. Its everyone else's fault.

Re:Slashdot Linux posters...

The Linux users are remaining silent on this. Fat or not.
This exploit does not effect us. We are working as normal.
It effects Windows users running the Windows version of Firefox.
Unfortunately it appears that Windows has proven itself not ready for the desktop. How do Windows users put up with this.

100-100-100

[Porchroof]

To be on the safe side, users should, in the authors' opinion, deregister all unnecessary URIs - without, however, elucidating which are superfluous.'"
Or without elucidating what a URI is.

I'm willing to bet $100 that 100 percent of the viewers here do not know the meanings of 100 percent of the acronyms that are so blatantly presented on this web site.

When an acronym is used the first time in a news article is it too much to ask that it be spelled out?

Re:100-100-100

[mithras+invictus]

There's an eXtensible HyperText Markup Language ACRONYM tag for that.
There's also a Firefox extension for looking up definitions.

solution

[uolamer]

.."For this to work, however, Internet Explorer 7 needs to be installed.".. Solution: Uninstall Internet Explorer 7.

Re:bug database

[Dragonslicer]

Nothing! Absolutely nothing!

I resent the comparison!

[Max+Littlemore]

also... i'm pretty sure if windows was a person he would punch himself in the genitals if he was asked to.

When I've been a very, very naughty boy, I'll pinch myself in the genitals if matron Dorris tells me to, you insensitive clod!

Re:bug database

[Trillan]

I am so stupid. STUUUPID!

Solution

[Nazlfrag]

Greasemonkey script removes null from URLs

More Mircosoft FUD

[pkarlos_76]

I thought the Mozilla team tried to fix this in 2.0.5, at least Mozilla team are trying to fix, but naturally MS IE7 team are of course blaming sum1 else, which is the usual Microsoft FUD!!!

just forgot to inform you about a default param

[someone1234]

bool FeedDog(int amount, bool lead=true);

Mod parent up

[totally+bogus+dude]

Accursed lack of mod points! Yours was the clearest explanation of the issue I've seen in this thread, so hopefully someone will mod your post up.

(Someone already has, it seems. But more oughta.)