Microsoft Flip-Flops On URI Protocol Handing Flaw

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

Good.

[Futurepower(R)]

Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."

Re:Good.

[Spy+der+Mann]

Now I wonder how many machines have now been zombified due to Microsoft's "little mistake". :-/

Who's gonna be held accountable for that?

Re:Good.

[clsours]

No, no, no. Windows automagically does all kinds of crap. Especially with explorer, which for most intents and purposes is also Internet Explorer. Windows does many many things for the user that are 'nice', but really compromise security. With a culture of obfuscation-as-security and a growing codebase you HAVE to expect vulnerabilities.

The Point: They're Still Missing It.

[Tackhead]

From TFA:
> For traditionally "safe" protocols like mailto: or http:

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.

Re:The Point: They're Still Missing It.

[drsmithy]

And that's where my co-workers heard the cry of "You dumb motherfuckers".

Maybe you should have kept reading (or you're just quoting out of context to sensationalise):

For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

Re:The Point: They're Still Missing It.

[Alwin+Henseler]

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

Which is really ridiculous, that normal users have come to expect (or should expect) that there are exploit-ridden websites which you should never visit, or else your system may get exploited and spyware/other crap gets installed behind the user's back.

One could pass a web-server ANYTHING as a URI, and the server basically returns you a 'page', consisting of a number of elements which are then rendered for your viewing pleasure. From a conceptual point of view, that's pretty much a READ action, and (imho) users should not be wrong to think this is always safe, and has no chance of screwing up your system. That this is not true in real life doesn't mean users behave unwise or stupid, but that current popular OS'es are BROKEN. Regardless of where in those OS'es (or the applications on it) the cause lies.

Now, for another point of view on these URI handling troubles: a) there exist malformed URI's, and b) pretty much everyone agrees they should not fsck up your system, but simply be handled. Either 'fixed' to be a valid URI, or simply be rejected as invalid. Now if you need to fix it anyway, where would be the best place to do so? In every application that handles URI's, or in 1 place where all those URI's pass through at some point in time anyway? Apart from the question of whether it would be the OS'es responsibility, I'd say inside the OS would be the easiest place to fix the 'malformed URI' problem as a whole. Also, if the OS isn't bothered by a malformed URI, and just returns an error to indicate the problem, applications (and through them) users are informed of that fact. Which would tell a user that a site he's browsing is either trying to screw him, hijack his system, or that the site maintainers are incompetent.

If the OS doesn't accept malformed URI's period, then the system as a whole becomes safer to use, regardless of whether applications do their own URI validation or not. So fixing this in the Windows URI handler would seem like the most general, AND the easiest way to prevent malformed URI from doing any damage.

Apart from that I think the article was well written and reasoned, claiming that input validation is really a shared responsibility, that both OS vendors AND 3rd party application developers should care about.

Re:The Point: They're Still Missing It.

[Beryllium+Sphere(tm)]

More insight into how Microsoft thinks about these things at Larry Osterman's blog.

Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.

Damn you, Microsoft.

[Jugalator]

Damn Microsoft for doing a 180 and making ShellExecute() be more strict about URI's. Damn you Microsoft for fixing that bug now, when you didn't fix it before. You should have kept with this and not fixed it. Or something. :-)

Re:Fanboy Bullshit at it's Finest.

[Planesdragon]

You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

Psst. Netscape is not a competitor to Windows. Never was.

MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?

BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.

Re:Fanboy Bullshit at it's Finest.

[absoluteflatness]

Psst. Netscape is not a competitor to Windows. Never was...
MS cripples themselves when they try and lean on Windows...

Well, the grandparent never said that Netscape was a competitor to Windows, but it sure was a competitor with Internet Explorer. Considering that Internet Explorer completely crushed Netscape due to it being free and bundled with Windows (and, eventually, a better product), I think that Microsoft's plan of leaning on their Windows dominance to sell their other products seems like a pretty successful one. Of course, of these, only IE is "bundled". For Office and Visual Studio, it's really a two-way street. People get Office or VS because they're the de-facto standard on Windows, then they stay with Windows so they can keep the same office suite/IDE.

They seemed to "cripple" themselves with the decaying quality of IE before the release of version 7, but really, it's a consequence of how they dominated the market so effectively. When there's no real competition, why bother innovating? If anything, Microsoft's business model sometimes works too well for their own good.

Re:Firefox?

[HeroreV]

If Internet Explorer was sending Firefox a valid URL, it wouldn't have to worry about escaping anything. Valid URLs don't contain whitespace, quotation marks, backslashes, or anything else that would need to be escaped. Why should Firefox expect to receive malformed URLs?

Re:Pay attention

[suv4x4]

Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, a [...] Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox

So uhmm what was the point of this post at all? Anyone in Microsoft's position wouldn't want to fix their competitors' software, it being OSS or not.

Firefox isn't just a browser competing to IE on Windows. It's a browser on Windows that works the same on Mac and Linux. That's horrible for MS as the browser becomes the most important application ever to be had on an OS.

Re:Fanboy Bullshit at it's Finest.

[houseofzeus]

Being a monopoly is not, in itself, illegal.