Microsoft Flip-Flops On URI Protocol Handing Flaw

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

like a dervish, they are

[User+956]

After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability

If it took them that many months, it sounds like they did a 1260.

Re:like a dervish, they are

[ricebowl]

If it took them that many months, it sounds like they did a 1260.

And here I'm still saving to buy the 360...

Sigh...

Re:like a dervish, they are

[mrbluze]

Maybe it took them so long because they had to bug-fix the patch, so the replacement vulnerability won't be so easy for non-spooks to detect.

Re:like a dervish, they are

[ozmanjusri]

Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...

Re:like a dervish, they are

[rk076200]

Microsoft has finally accepted responsibility for its role in a security weakness that allows malicious websites to run harmful code on an end user's machine.

Re:like a dervish, they are

[Caesar+Tjalbo]

or patch the bug-fix, who knows.

Re:like a dervish, they are

True.

But, you can still buy a disposable 360 once a monthfor five years, for less than half the price of a single PS3!

Re:like a dervish, they are

[ricebowl]

Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...

True enough, but will my glow-stick and cereal box be repaired under an extended warranty when it inevitably falls apart, or I add milk to the contents?

I don't think Mr. Kelloggs will be forthcoming...

Re:like a dervish, they are

[dpiven]

And it'll taste better, and be more nutritious!

Re:like a dervish, they are

[rinaazlin]

even you buy 360, will the virus stop coming.. maybe not!

Re:like a dervish, they are

[davidsyes]

What were they doing? Chanting runes, or calculating by an excel error?

Good.

[Futurepower(R)]

Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."

Re:Good.

[Spy+der+Mann]

Now I wonder how many machines have now been zombified due to Microsoft's "little mistake". :-/

Who's gonna be held accountable for that?

Re:Good.

[dedazo]

No, it's not. Never was. They're fixing other applications (Firefox in this case), the way they hack their entire userspace to deal with application quirks and stupid use of undocumented structures and APIs that are not supported. But that's the price they ultimately have to pay for backwards compatibility - the reason they also still own 96% of the desktop.

Re:Good.

[clsours]

No, no, no. Windows automagically does all kinds of crap. Especially with explorer, which for most intents and purposes is also Internet Explorer. Windows does many many things for the user that are 'nice', but really compromise security. With a culture of obfuscation-as-security and a growing codebase you HAVE to expect vulnerabilities.

Re:Good.

[Cassius+Corodes]

Me. I'm gonna get a week's vacation docked.

Re:Good.

[MadMidnightBomber]

Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.

Be afraid. Be very afraid.

[1] OB /. - or possibly to goatse

Re:Good.

[JoelKatz]

It's not. It's nice that they fixed it, but it wasn't there bug. Firefox, and other programs, were passing invalid URLs from untrusted sources to the operating system.

Re:Good.

Interesting behaviour...

Re:Good.

[rk075906]

In a world without walls and fences - who needs windows and gates?!

The Point: They're Still Missing It.

[Tackhead]

From TFA:
> For traditionally "safe" protocols like mailto: or http:

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.

Re:The Point: They're Still Missing It.

[drsmithy]

And that's where my co-workers heard the cry of "You dumb motherfuckers".

Maybe you should have kept reading (or you're just quoting out of context to sensationalise):

For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

Re:The Point: They're Still Missing It.

[Alwin+Henseler]

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

Which is really ridiculous, that normal users have come to expect (or should expect) that there are exploit-ridden websites which you should never visit, or else your system may get exploited and spyware/other crap gets installed behind the user's back.

One could pass a web-server ANYTHING as a URI, and the server basically returns you a 'page', consisting of a number of elements which are then rendered for your viewing pleasure. From a conceptual point of view, that's pretty much a READ action, and (imho) users should not be wrong to think this is always safe, and has no chance of screwing up your system. That this is not true in real life doesn't mean users behave unwise or stupid, but that current popular OS'es are BROKEN. Regardless of where in those OS'es (or the applications on it) the cause lies.

Now, for another point of view on these URI handling troubles: a) there exist malformed URI's, and b) pretty much everyone agrees they should not fsck up your system, but simply be handled. Either 'fixed' to be a valid URI, or simply be rejected as invalid. Now if you need to fix it anyway, where would be the best place to do so? In every application that handles URI's, or in 1 place where all those URI's pass through at some point in time anyway? Apart from the question of whether it would be the OS'es responsibility, I'd say inside the OS would be the easiest place to fix the 'malformed URI' problem as a whole. Also, if the OS isn't bothered by a malformed URI, and just returns an error to indicate the problem, applications (and through them) users are informed of that fact. Which would tell a user that a site he's browsing is either trying to screw him, hijack his system, or that the site maintainers are incompetent.

If the OS doesn't accept malformed URI's period, then the system as a whole becomes safer to use, regardless of whether applications do their own URI validation or not. So fixing this in the Windows URI handler would seem like the most general, AND the easiest way to prevent malformed URI from doing any damage.

Apart from that I think the article was well written and reasoned, claiming that input validation is really a shared responsibility, that both OS vendors AND 3rd party application developers should care about.

Re:The Point: They're Still Missing It.

do you feel like a big man for putting motherfuckers in italics? it seems like something a 10 year old would do.

Re:The Point: They're Still Missing It.

[plover]

It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

For traditionally "safe" protocols like mailto: or http: [human] application [writer]s often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

At that point, it reads more like this: "The application developers I know traditionally consider the protocols mailto: and http: to be "safe", and therefore don't need to bother sanitizing the URIs before foisting the heavy lifting off on ShellExecute()." In that context it's clearly the blind presumption of safety on the part of the developers that's the real problem.

Not that it would make me go screaming about mentally deficient Oedipal fornicators ...

Re:The Point: They're Still Missing It.

[Beryllium+Sphere(tm)]

More insight into how Microsoft thinks about these things at Larry Osterman's blog.

Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.

Re:The Point: They're Still Missing It.

[drsmithy]

Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

And when you expand my sentence appropriately, you get:

It's pretty clear from context that the implication is other applications [' developers] consider those prefixes as "traditionally safe", and not that [the average] Microsoft [developer] does.

At that point, it reads more like this: "The application developers I know traditionally consider the protocols mailto: and http: to be "safe", and therefore don't need to bother sanitizing the URIs before foisting the heavy lifting off on ShellExecute()." In that context it's clearly the blind presumption of safety on the part of the developers that's the real problem.

More like "the application developers we have experience in dealing with - having expended massive amounts of our resources over the last 2+ decades to rectify or work around their mistakes - traditionally consider the protocols mailto: and http: to be "safe" and therefore don't need to bother sanitizing the URIs before foisting the heavy lifting off on ShellExecute(). These are the same idiots who do thing like try and store runtime data in system directories." This is especially true when you consider that "Chen" probably refers to Raymond Chen, who's been helping Windows work around developer stupidity for a very long time.

From one side of the mouth, then the other

[ackthpt]

"There's nothing wrong with it"

"Quick! Fix it! Hurry up we want this fixed in several months!"

Re:From one side of the mouth, then the other

[thegrassyknowl]

"There's nothing wrong with it" ---(M$ To English)---> "We're too stupid to be able to fix this bug so we'll claim it works as expected and is a feature then tell the users that it's their fault. At least our users are stupider than us."

Re:From one side of the mouth, then the other

[Gary+W.+Longsine]

Even though the parent forgot, "... and blame the developers of third party applications..." it was otherwise accurate, if blunt. The Troll mod is unfair. Mod, you will be punished in meta-mod land.

Damn you, Microsoft.

[Jugalator]

Damn Microsoft for doing a 180 and making ShellExecute() be more strict about URI's. Damn you Microsoft for fixing that bug now, when you didn't fix it before. You should have kept with this and not fixed it. Or something. :-)

Re:Damn you, Microsoft.

[fbjon]

That would be point one then.

Re:Damn you, Microsoft.

Hey! We needed that for our bingo game. Spoilsport.

Re:Damn you, Microsoft.

You sunk my battleship

Re:Microsoft has been a destroyer of standards...

[dedazo]

That's impressive, but what does that have to do with the topic of this article?

Wow

You said nothing whatsoever that pertains to the subject of the story. And someone modded you up...?

The "New" Microsoft

[Propaganda13]

After being criticized about security, Microsoft has taken additional steps to shorten the time between when they advise a customer of a vulnerability and when it is fixed. Ballmer stated "This is a win for both the customer and Microsoft."

Simple

[Vlaadimir]

If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

Re:Simple

[micheas]

If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

That would work if you didn't have to make an exception for the Outlook Web Access Client for exchange. That has all sorts of invalid URL's in it that should never be accepted by a web browser.

Worst thing Netscape and Microsoft ever did is allow their browsers to render invalid html instead of throwing an error.

Re:Simple

[plague3106]

Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..

Re:Simple

[Vlaadimir]

I think this has more to do with Microsoft trying to gain the high ground by saying that we validate our input before passing it to third party applications. Where validating user input, really is a good thing is not always easy.

Re:Simple

How's this one:
https://server/exchange/junkit/Inbox/Out%20of%20Office%20AutoReply:%20REMINDER:%2010_xF8FF_13_xF8FF_2007%209am%20EDT%20-%2010_xF8FF_14_xF8FF_2007%209pm%20EDT.EML?Cmd=open

They are referring to how OWA uses the Subject of a message as the URL. Notice the ':' in the standard Out of Office AutoReply message. It may not be an actual illegal character for a URL. But OWA does not make it easy to deal with. It would have been nicer if the MessageID had been used instead.

Re:Simple

[micheas]

Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..

I cannot remember what the issue is exactly but it has (had? I have been mercifully spared from exchange 2005) to do with % signs in email subjects or file names.

Re:Simple

[10101001+10101001]

...then other browsers...

IE isn't a web browser. It's a quasi-web browser. The second Microsoft chose to leverage non-standard features in disregard to how it would cripple the platform-independent design of the web, IE became a quasi-web browser. Of course, one could argue that most "web browsers" fall into that category (Netscape, Firefox, Opera, etc all adding-on Java, Flash plug-ins, etc). At that point, though, one can rational argue that each quasi-web browser falls into its own category, so there's no reasonable expectation that they should all manditoraly copy each other. I mean, IE includes Active X and "Zones". Should Firefox and Opera include those too?

Of course, the proper answer might be to just, you know, stop supporting external uri handlers (ie, ones one can't fix/validate). But that's based upon the assumption that security should trump functionality.

Re:Simple

[plague3106]

hmm, i'll have to check that out. I've seen % signs, but they should be there... %27 replaces ' IIRC, whcih is the proper escaping.

My Flaw

[The+Living+Fractal]

I have a "handing" flaw. A protocol has a "handling" flaw.

My flaw is much more personal ;p

Pay attention

You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.

Re:Pay attention

this is correct.

moreover, how long can this ill mannered snark continue? let's recap: Microsoft hasn't done anything wrong here, other than announce that an attack vector/security risk was also a heavily utilized feature relied upon by countless third party developers. then they found a way to fix some of it up... and all of this is over one particular build of a browser on one platform they maintain.

you guys at slashdot suck the FUD through a straw. and make like anyone else doing the same is a wicked bastard. this is shameful.

Re:Pay attention

[Alwin+Henseler]

There were two flaws: One in Firefox, one in ShellExecute. Excellent point.

Microsoft cannot and did not fix the flaw in Firefox (..) Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).

Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)

Re:Pay attention

[Smartcowboy]

Since Firefox is an open source project, ANYONE has the option to contribute patches Don't be ridiculous. Most open source projects are run by groups of elitists who will ignore any contribution who don't come from them. The only way to contribute to a project is to fork it but then you will still be ignored by the whole world because you are not mainstream. Any attempt to integrate an existing open source project is an exercise of futility.

Re:Pay attention

[suv4x4]

Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, a [...] Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox

So uhmm what was the point of this post at all? Anyone in Microsoft's position wouldn't want to fix their competitors' software, it being OSS or not.

Firefox isn't just a browser competing to IE on Windows. It's a browser on Windows that works the same on Mac and Linux. That's horrible for MS as the browser becomes the most important application ever to be had on an OS.

Re:Pay attention

[nsebban]

I'm very curious about the way the community would react if Microsoft provided a patch to an open-source app, just like they could have done in this case.

In Vista it doesn't even act properly

[postmortem]

When Firefox is default browser, state-of-the-art Microsoft Office 2007 can't open link when clicked upon without error - every time it is same story (fatal error! with red X and appropriate sound) if Firefox is not already opened.

Re:In Vista it doesn't even act properly

[plague3106]

Hmm.. I happen to have Vista Ultimate, and Office 2007. I just clicked a link in Outlook and it opened FF just fine even though FF wasn't already open. How do you reproduce the error you describe?

Re:In Vista it doesn't even act properly

[postmortem]

Just clicking on the link - General failure The URL was: "http:/...". The system cannot find the file specified. Firefox is default program for htm, html, HTTP protocol and Internet link. The OS is vista x64 Business.

Re:In Vista it doesn't even act properly

[plague3106]

Hmm, I'm on the 32-bit OS. Maybe it was fixed in a recent update?

Re:In Vista it doesn't even act properly

It's a bug in the DDE registration of Firefox setup. Fix your DDEExec key and you're good to go. Try setting IE to default and set Firefox back to default.

Re:In Vista it doesn't even act properly

Probably a broken DDE setting. Unfortunately I'm not on a Windows box right now to get you the right settings. You could try setting IE as default browser, then switching back to FF....

Re:In Vista it doesn't even act properly

The error box you get clicking links with FireFox as the default
browser is a known problem. It happens when you have IE 7 installed
You need to turn off DDE

http://www.outlookpower.com/issues/issue200411/00001420001.html

Fanboy Bullshit at it's Finest.

They're fixing other applications (Firefox in this case)

Sure, that's been the M$ line all along, even though IE and Outlook did the same thing. So tell me why Firefox does not have a problem on Mac and GNU/Linux again. Oh, that's right, the only reason Firefox had anything to do with this is that it did things the M$ way on Windoze. Stupid Turd, Windoze is defective by design.

But that's the price they ultimately have to pay for backwards compatibility - the reason they also still own 96% of the desktop

You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

96%. Dream on.

Re:Fanboy Bullshit at it's Finest.

[Planesdragon]

You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

Psst. Netscape is not a competitor to Windows. Never was.

MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?

BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.

Re:Fanboy Bullshit at it's Finest.

[absoluteflatness]

Psst. Netscape is not a competitor to Windows. Never was...
MS cripples themselves when they try and lean on Windows...

Well, the grandparent never said that Netscape was a competitor to Windows, but it sure was a competitor with Internet Explorer. Considering that Internet Explorer completely crushed Netscape due to it being free and bundled with Windows (and, eventually, a better product), I think that Microsoft's plan of leaning on their Windows dominance to sell their other products seems like a pretty successful one. Of course, of these, only IE is "bundled". For Office and Visual Studio, it's really a two-way street. People get Office or VS because they're the de-facto standard on Windows, then they stay with Windows so they can keep the same office suite/IDE.

They seemed to "cripple" themselves with the decaying quality of IE before the release of version 7, but really, it's a consequence of how they dominated the market so effectively. When there's no real competition, why bother innovating? If anything, Microsoft's business model sometimes works too well for their own good.

Re:Fanboy Bullshit at it's Finest.

[durin]

Microsoft is doing something right

Unfortunately, the thing they're doing right is wrong (they're a monopoly, remember?)

Re:Fanboy Bullshit at it's Finest.

[houseofzeus]

Being a monopoly is not, in itself, illegal.

Re:Fanboy Bullshit at it's Finest.

[fork_daemon]

Being a monopoly is not, in itself, illegal. It isn't illegal, but it leads to illegal behaviour. Remember the buying the vote for OOXML story?

Re:Fanboy Bullshit at it's Finest.

Thanks for this one, Twitter. Unless you actually change your personality, anybody with even half-assed knowledge of sentence structure and use of language is going to click that this is you very quickly.

Re:Fanboy Bullshit at it's Finest.

True, but just so a casual reader does not read your retort and leave thinking that being a monopoly was Microsoft's worst offense: the Findings of Fact judgement in the United States v Microsoft case went much, much farther than merely pointing a finger at Microsoft and calling them a Monopoly. It found them guilty of tying in violation of sections 1 and 2 of the Sherman Antitrust Act. And that is illegal.

Re:Fanboy Bullshit at it's Finest.

[houseofzeus]

Indeed, many people seem to mistakenly believe the former though, which is my gripe.

Re:Fanboy Bullshit at it's Finest.

[pyrr]

Just a quick point. UNIX=!free and it predates Microsoft operating systems by a pretty substantial span of time, and it's not a consumer desktop OS. BeOS=!free and kind of had a dearth of software developed for its platform OS|2=!free and it's basically a fork of NT from when IBM & Microsoft decided to take their respective marbles and go home when their collaboration fell apart. IBM didn't market it anywhere near as aggressively as Microsoft marketed NT. Mac=!free and the hardware has typically carried a ludicrously high price tag, while the selection of software is on the sparse side (most comp stores I've been in have the usual half-dozen full aisles of Win-PC software, to one-half of an aisle dedicated to Mac software). Linux=free, but its day isn't over yet. It's getting closer to that asymptote of "being ready for the consumer desktop", which is where folks like Shuttleworth want it to be, and if Canoical was to get more aggressive in marketing k/ubuntu to the masses, who knows what could happen? Percent by meager fraction of a percent, whatever market share ubuntu has today was achieved at what's probably a negligible cost-per-percent compared to the billions of marketing dollars Microsoft has spent hollowing-out a solid foothold in the marketplace over the past 20+ years. That's if you consider services like Shipit to be "advertising". Any estimates as to how much Microsoft spent trying to convince the public to buy Vista over the past year? And what's its overall market share is? I have my doubts that its shareholders like to think about such things...

Firefox?

[Erris]

They're fixing other applications (Firefox in this case)

Did you really say and believe that? Congratulations, you have outdone M$ themselves. Let's review:

• the problem happened if you installed IE7, not before.
• M$ has just admitted their mistaken way of dealing with urls in XP and 2003.

How is that Firefox again? Yes, I saw in the recap where "MSRCTEAM" mentions their previous friendly blame cast, I mean "advice", to the Firefox team. Can you tell me how that intersects reality again?

Re:Firefox?

Firefox installed the URL handler that was vulnerable. The fact that IE6 and IE7 treat URLs in different ways caused it not to be vulnerable under IE6.

But it was still Firefox that installed the vulnerability. Without Firefox, NOTHING was vulnerable.

So, yes, they're fixing Firefox's bug.

Re:Firefox?

[Kalriath]

Well, actually, there are two issues being mentioned here. One, where Windows itself mishandles the URI. This is the one where a % symbol is included in the URI and ShellExecute stupidly tries to fix it (demons know how it manages to mangle it into an actual working executable path). The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done - often causing apps like Firefox, or Trillian, or whatever, to actually accept half the URI as command line parameters.

The mistake made by the GP (and potentially yourself, as you refer to the "blame cast" with the Firefox team which from memory only occurred with the issue in June with a malicious URIs terminating the quoted string and including Chrome parameters) is that they assume the second option is the one which is being fixed. It is not. This will potentially still be a problem if applications don't continue to validate their URIs appropriately, as Windows doesn't know exactly what your application does to escape quotes.

One of these is a vulnerability. The other is third party applications violating a basic tenet of development (no input is trusted).

Re:Firefox?

[ozmanjusri]

Without Firefox, NOTHING was vulnerable.

Rubbish.

There's a whole shopping list of apps, including IE7 itself that were exposed to this vulnerability. Firefox was just the first to be accused.

Microsoft's only changed it's tune because Adobe's on the case with the Acrobat vulnerability. It's one thing to force a FOSS competitor to unnecessarily patch, but they'll have no luck with trying to force Adobe to fix every PDF reader out there.

Re:Firefox?

Weird how there hasn't been any reports of it for Linux or OS X yet. Almost as if without Windows, NOTHING was vulnerable... but of course that can't be right.

Re:Firefox?

The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done

OK, let's break down the steps to executing a program here. Now, I know Microsoft has their way of doing it, but really, it's exactly the same fucking thing with the same fucking array of arguments as parameters to the main function.

1) program A decides it wants to run program B with some arguments
2) program A assembles the argument list, and selects a member of the exec*() family to call
3) program A executes program B with the arguments that A prepared.

It's not the receiving program's responsibility to try and reassemble its arguments to figure out what the calling program actually meant to pass in, well unless your program runs on Windows, I guess. "Escaping of quotes" is supposed to have already been taken care of by the time the first line of code in main(argc,argv) executes and wants to see what it got in argv[1]. But hey, I'm sure you have a really good reason why the OS is capable of dealing with quoted arguments correctly when I type "C:\Program Files\Somewhere" but can't be bothered to handle it correctly specifically when parsing a URL that explains exactly how it is not the URL parser that is broken?

Re:Firefox?

[Kalriath]

Well, here's the thing:

What's exec()? Windows has ShellExecute(). ShellExecute for parameters accepts a single blind string. With this string, it passes it straight to an app to decide how it wants to interpret it. In your example, it's because it doesn't need to escape quotes to open "C:\Program Files\Somewhere" - which is good, because it has no idea how your application escapes quotes anyway. Does it use C syntax? Does it use BASIC syntax? Does it use Pascal syntax? Since it doesn't know these, it cannot escape your URL. As a result, you shouldn't be writing applications that expect it to.

Re:Firefox?

[dedazo]

hi twitter. How's that karma doing? Had to fall back on the ol' sockpuppet, eh?

the problem happened if you installed IE7, not before.

And?

M$ has just admitted their mistaken way of dealing with urls in XP and 2003.

"M$" has modified the way it works, which does not mean it's "mistaken". And these are not URLs, they're URIs passed to registered moniker handlers. You don't even know what you're talking about, do you?

How is that Firefox again?

They registered a handler with the shell. If they hadn't done that, this wouldn't have happened, since IE7 apparently handles the same type of URIs correctly.

By the way, please don't insult my intelligence by posting retarded things like these as an AC. Be a man and take responsibility for what you say, or stop bitching about how the big bad ACs victimize you.

Re:Firefox?

[ozmanjusri]

"M$" has modified the way it works, which does not mean it's "mistaken".

Yes it does.

This is from the Technet mea culpa blog posting by MSRC's Jonathan.

With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed. Spin the facts as much as you like here, but anyone with a clue knows it is Microsoft's vulnerability. That's why they're the only ones who can fix it.

Re:Firefox?

[dedazo]

I wasn't referring to the vulnerability in shell32 itself, but to the way applications handle escape quotes in URIs passed to registered handlers like "chrome://".

Most people (yourself included, apparently) don't understand that this is a two-way street. Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them. But then it's so much fun to spin that part, isn't it?

Re:Firefox?

[ozmanjusri]

Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them.

Which platforms does this vulnerability exist on?

Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed?

Your bosses have accepted it's their problem. Why don't you?

Re:Firefox?

[HeroreV]

If Internet Explorer was sending Firefox a valid URL, it wouldn't have to worry about escaping anything. Valid URLs don't contain whitespace, quotation marks, backslashes, or anything else that would need to be escaped. Why should Firefox expect to receive malformed URLs?

Re:Firefox?

[dedazo]

Your bosses have accepted it's their problem.

Ooooh, that's so clever. Well, that does it for me. I won't bother you anymore, since surely there are other minions of the evil empire you must do battle with?

Good luck!

Re:Firefox?

[houseofzeus]

Ok, say Microsoft did decide to handle that and validate the http protocol URI's. What about the umpteen other URI types that can be exploited in the same manner? Would you expect Microsoft to work out what constitutes 'valid' for each of these too (many of which may well be wholely and solely products of 3rd party vendors)? Or would you expect that they just handle the common ones like http? If the later then who gets to decide what is common or valid, and who is to blame later on when third party X changes what is 'valid' for a given URI type?

Re:Firefox?

RTF RFC, Gatesfucker.

Re:Firefox?

[Random832]

which is good, because it has no idea how your application escapes quotes anyway. Well, for a filename (your "C:\Program Files\somewhere" example is not a URL), this issue is mitigated by the fact that filenames cannot contain quotes.

It would not, though, be out of line for applications passing URLs into shellexec to escape quotes (at the very least, double quotes) with URI escaping syntax, in order to guarantee that _they_ do not contain quotes. They should already be escaping spaces, anyway, so this shouldn't have happened regardless

Re:Firefox?

[Macthorpe]

Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed? Well, if you didn't have a computer, then it wouldn't be a problem at all, so I guess it's Charles Babbage's fault. Then again, if he wasn't born, it still wouldn't have happened, so it's his parents fault. I guess also if the Earth didn't exist, then it's the fault of either your chosen deity or science, depending.

Just because a problem can't exist without something else, it doesn't mean it's their fault. Here we go, car analogy - someone smashes into the side of your car and injures you. Once out of hospital, you go to the garage and get the sides reinforced so that a future impact there can't hurt you. Just because you've taken the time to fix the possibility of someone injuring you, does it mean it's any less someone else's fault that they smashed into you? No. The "OMG M$ IS FIXING IT SO THEY'RE ADMITTING FAULT" argument is completely spurious.

Anyone confused with the issue needs to read the MSRC blog. There are two issues here.

Fault 1: Programs are receiving malformed URIs and instead of handling them, throwing up strings that they then send to ShellExecute(). Microsoft can't block these because there are other programs that use those handlers legitimately.

Fault 2: This is the result of the difference you're seeing. IE7 and Vista have URI verification in place to stop this kind of attack happening, XP and earlier do not. IE7 checks the handler - however the presence of the % sign means that IE7 tries to fix it, fails, then passes it onto ShellExecute() to fix. On Vista, it's rejected, but on XP the handler isn't as good - so malformed handlers occasionally slip through the net.

The second fault is what they're fixing, not the vulnerability in Firefox. If the tightening of the handlers for IE7 and XP/2003 does fix the 3rd party handler problem, great, but that doesn't make it Microsoft's fault.

In a final note I know it's tough when people don't agree with you, but it's sad to assume that they don't agree with you because they're being paid to do it. You're just not that important.

Re:Firefox?

[I'm+Don+Giovanni]

What if a user opened cmd.exe and executed "Firefox ". Is cmd.exe supposed to clean up the command line before passing it to Firefox? It's up to apps themselves to parse and validate whatever is passed as the command line. This is programming 101 stuff.

Re:Firefox?

Hi willy. When you look back with nostalgia at the good times when your "Erris" account had good karma, know that this is the point where it all started again.

Re:Firefox?

"blame cast", that's just too funny. We're dying over here. Of laughter.

Re:Firefox?

[g1zmo]

Software Development Rule #7:

Be liberal in what you accept and strict in what you emit.

Re:Firefox?

[houseofzeus]

If it were as simple as just applying the RFC for generic URIs this would never have snowballed the way it has. The point is that 3rd party applications can still be and will continue to be vulnerable in this manner if they don't validate URI's from untrusted sources. I suspect the reason URIs were left unvalidated by ShellExec in the first place may have been that if you put generic validation there 3rd parties could well get lazy and fail to do their own further validation (with the additional context of whatever URI type they are specifically interested in), which as it turns out is what many fail to do anyway.

Even if ShellExec is extended to validate URIs under the generic spec (which from my read of the provided articles looks like what MS are doing) what is valid in a generic sense may still be just as invalid (or even in some cases dangerous) given the contect of a specific URI type.

Re:Firefox?

"Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux" LOLOLOL

Re:Firefox?

[rk075906]

Is Windows a virus? No, Windows is not a virus. Here's what viruses do: 1. They replicate quickly - okay, Windows does that. 2. Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that. 3. Viruses will, from time to time, trash your hard disk - okay, Windows does that too. 4. Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too. 5. Viruses will occasionally make the user suspect their system is too slow (see 2.) and the user will buy new hardware. Yup, that's with Windows, too. Until now it seems Windows is a virus but there are fundamental differences: Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature. So Windows is not a virus. It's a bug.

Nothing new here

[GodfatherofSoul]

Microsoft is a pain when it comes to protocols. If they have a bug, unless it blows up Fortune 500 servers they put the burden on you to work around them. I wrote a HTTP proxy client lib a while back that ran with no problems for months/years until Microsoft got into our market. "But the RFC says..." means jack to your clients when their deployment is bombing out on transactions.

Re:Nothing new here

[rs79]

"But the RFC says..."

Welcome to reality. If you made a mail daemon that worked according to spec nobody would be able to use it.

If you saw the errors in SSL browsers ignoered just to they look like they're working you'd shit.

Did the submitter read the links they included?

[Keeper]

There are two "bugs" being talked about.

1) an exploit in firefox URI protocol handler
2) an exploit related to how explorer handles rejected URIs from IE7 on XP/Win2k3

Apparently the submitter isn't able to differentiate #2 from #1.

The advisory is for item #2. Item #2 is going to get fixed. The advisory does not cover item #1. Item #1 will need to be fixed in the protocol handler itself.

Re:Did the submitter read the links they included?

Thank you.

And while we're here, can anyone explain why the firefoxurl handler exists at all?

It's clearly a bad idea on any kind of external webpage since it breaks the basic linking mechanism of HTML by assuming a certain browser is installed (most people apart from FireFox zealots actually try to make their pages work on ALL browsers).

It doesn't describe a protocol, so it's an abuse of the URL system. Unless of course the expectation is that MS should implement firefoxurl: as launching IE and Opera should implement it as launching Opera, in which case, why not just http:?

It's not implemented in even a remotely intelligent way, as evidenced by the vuln.

The whole thing seems like a kind of anti-MS joke played by FireFox and now the immaturity of that approach, within a browser supposedly the "most secure in the world", has been brought into light.

Except it hasn't because apparently few people see an actual problem with what the FireFox team did here - vuln or not, this is the most stupid piece of functionality in the world.

Re:Did the submitter read the links they included?

And while we're here, can anyone explain why the firefoxurl handler exists at all?

Because Vista changed the rules for registering handlers, so that something that used to be an internal implementation detail became exposed to the outside world.

Re:Did the submitter read the links they included?

[Random832]

And while we're here, can anyone explain why the firefoxurl handler exists at all? Though these are url handler keys instead of programs, imagine that firefoxurl is the real binary, and firefox sets up http, ftp, and so on, as symlinks to it. It can't put the real handler at 'http', since that could be overwritten by IE if someone opens IE and checks "make this my default web browser".

Summary is wrong

[HappyUserPerson]

From the MSRC blog post (linked in the summary):

While we might have been able to make changes in some Windows APIs to block these attacks, doing so could break how the 3rd party applications intended those protocol handlers to function. As a result, we recommend that the owners of the applications themselves address the potential issues since they understand their code the best. For example, application protocol handler authors must take special care to validate every argument which is passed in on the command line.

The parameter handling is not being modified to prevent applications from receiving potentially malformed URLs as command line parameters. It remains the responsibility of the applications which handle URLs to properly parse their own command line parameters and to set up the applications protocol handler in a way that does not cause the application to be a vector of attack (for example, 'firefox.exe "%1"' might be a problem). The flaw that is being fixed has to do with improper handling of some protocols (http, mailto) on XP/2003 with IE7 installed, which has nothing to do with custom protocol handlers.

The MSRC post was meant to clarify the issue. Sadly, it seems that the substance of the post is ignored and misinformation prevails.

Whole thing reminds me of PHP XSS attacks...

[LingNoi]

Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP.

This is the exact same situation. There are problems with un-escaped data and Microsoft doesn't want to bother much like the PHP team did before they changed their minds about the situation.

The only difference here is the way the code executes. I personally think it's not Microsoft's fault but they should fix it anyway. If they're that freaked out about backwards compatibility then just have an "on" or "off" switch in the registry so for the 0.1% of people that need it to stay the same have that option, but the vast majority are covered.

Re:Whole thing reminds me of PHP XSS attacks...

[Random832]

Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP. wtf does "escape all data" even mean? Data coming out of the database gets escaped? Data read in from files? Contents of string literals? Arguments to "echo"? How does it know whether to escape for SQL, for HTML [&lt; etc], or for something else? magic? You put "XSS" in the subject line, yet talk about MySQL in the body, which have nothing to do with each other (hint: XSS attacks are usually caused when you actually WANT the other person to be able to write HTML generally, but fail to prevent them from adding script tags. "escaping all data", if you mean HTML escaping, will turn all their legitimate HTML tags into "escaped" <b> etc.)

Re:Whole thing reminds me of PHP XSS attacks...

[Limburgher]

No, XSS != SQL injection. SQL injection is more relevant here, and to prevent it, you escape any data you didn't generate yourself before using it in any way with an SQL query. Even if that data came from the database.

See www.php.net and look up mysql_real_escape_string() and pg_escape_string(). There are other functions for other purposes, but proper use of one of these two will save you lots of pain.

Re:Whole thing reminds me of PHP XSS attacks...

[Random832]

Yeah, but the GP suggested that the next version of PHP will "automatically escape all data", thus magically preventing both sql injections AND xss.

Re:Whole thing reminds me of PHP XSS attacks...

Is it PHP's fault that people don't escape their data before executing MySQL statements?

Of course it is. Using a pre-written query with parameter placeholders is the right way to solve the problem, but the PHP developers originally provided a half-assed database driver that didn't support that. All their sample code instead pasted escaped values directly into query text, which is where most everyone who learned PHP picked up this dangerous habit and started passing it on.

OT: Your last blog entry

[dylan_-]

Font sizes are in points. They won't be the correct size if your display size isn't being picked up correctly, which sounds likely. Try setting DisplaySize in your xorg.conf and see if it makes a difference. Remember to make a backup copy first, so you can just copy it back in play if something screws up.

"Flip-Flops"?

[Mode_Locrian]

I'm quite aware that this is completely off-topic, but "Flip-Flops"? This locution, imported from contemporary political discourse, no doubt, irritates me to no end. Why not just say what you mean--namely: "changes its (or, in the case of persons, his/her) mind"? Or is this neologism supposed to mean something else that I'm not aware of (I doubt it, but who knows)?

Re:"Flip-Flops"?

[Lord+Bitman]

The phrase "flip-flops" officially died the first time one pundit quoted another by using it without attributing the source. Same with quagmire. These are now gone from the English language. Please do not use them.

Only a problem if you omit the http:

[giafly]

Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'.
Now visit www.slashdot.org in IE.

Visiting www.slashdot.org is broken
Visiting http://www.slashdot.org/ works fine

IE seems to store the http: in favorites etc., so it's not much of a problem.
Also it doesn't affect Firefox so almost nobody will notice.

Re:Only a problem if you omit the http:

[mrRay720]

Actually this sounds like expected behaviour. www.slashdot.org isn't a valid address, people are just used to the user-friendly auto-appending of http://./

www.slashdot.org is the name of a file in a location that IE searches for named shortcuts.

What IE is doing in this case is preferring an exact match over an autoguess.

The only arguement here is if IE should be searching the desktop for URL shortcuts, and considering how many people use their desktop in lieu of the favourites menu, I don't think that it's an unreasonable feature.

If you want to go to http://www.slashdot.org/ - type that in. Leave room for the software to guess, and well, it will guess.

It's a philosophical bug nonetheless..

[zukinux]

If program A and program B are installed, and while the user uses program A (Internet Explorer) and a specific bug causes that if program B (firefox) is installed and the user is currently using program A, malicious user can cause program A to pass parameters which will not be checked on program B.

So who is guilty? Program A for allowing to pass those parameters? or Program B which doesn't sanitize input from other programs?
I'd say, both.

It's all still more secure than Ubuntu

Once Ubuntu starts fixing all their security flaws, then maybe Slashdot can start talking about security issues again.

Re:It's all still more secure than Ubuntu

How again do you make a server secure from a brute force login on a multinational service?
Just curious.

Hmmm.... and I was modded as Troll

[foniksonik]

I just stated this on the Adobe vulnerability story.... clickie to see the irony

My post:

"Is it really an Adobe vulnerability? Seems more like it's an IE vulnerability that has been blame-shifted to whoever writes the plugins that might expose it for what it is."

Replies:

"From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source."

Methinks some credit is due.... or maybe more troll mods? it is /.

What, me worry?

[angus_rg]

Is anyone surprised that a big business swears there is no problem until they have a solution.

Re:What, me worry?

[TT076659]

A company says "We offer the best in security to ensure the protection of your business without any problems".

Few weeks later..

The company says "We have discovered an issue with bla bla bla, please visit bla bla bla to get the update".

The terms `flip-flop` and `Microsoft` together?

[octaene]

Usually, the terms `flip-flop` and `Microsoft` together in a sentence bring out the MS-bashers and Linux advocates. But to be frank, this is a good thing for Microsoft to do. Their previous argument was pretty solid, because how are Microsoft to anticipate each and every URL registration made by a third-party application writer? Answer: they can't.

So by now admitting to plans to write a more strict handling routine for the shell URI interpreter, Microsoft is not kowtowing to pressure from the free market (IMHO), but actually taking a step towards better security.

Microsoft fanboiz or not, that's what we all want, right?

Re:Microsoft has been a destroyer of standards...

[SL+Baur]

Microsoft has been a destroyer of standards, rather than a builder of standards. You must be new here. They're only doing what titans in the computer industry have done in the past. IBM (with OS 360), DEC (with VMS), etc.

Standards have traditionally been whoever has the largest market share. They may change from vendor to vendor, but it has always been this way. Always.

Sigh. When I went through college, there were no computer majors, but now it definitely seems time that there should be computer history majors ...

Where's the logic?

[Futurepower(R)]

You seem to be saying that abuse is okay of someone has done that kind of abuse before.

The election is over, John

I'm sorry to inform you so late, but you lost.

Yours truly,
George