Microsoft Flip-Flops On URI Protocol Handing Flaw

← Back to Stories (view on slashdot.org)

Microsoft Flip-Flops On URI Protocol Handing Flaw

Posted by kdawson on Thursday October 11, 2007 @11:46AM from the so-it's-a-bug dept.

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

4 of 126 comments (clear)

Min score:

Reason:

Sort:

Good. by Futurepower(R) · 2007-10-11 11:51 · Score: 5, Insightful

Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."
The Point: They're Still Missing It. by Tackhead · 2007-10-11 11:56 · Score: 5, Insightful

From TFA:
> For traditionally "safe" protocols like mailto: or http:
And that's where my co-workers heard the cry of "You dumb motherfuckers".
It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.
While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.
If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.
1. Re:The Point: They're Still Missing It. by drsmithy · 2007-10-11 13:09 · Score: 4, Insightful
  
  And that's where my co-workers heard the cry of "You dumb motherfuckers".
  Maybe you should have kept reading (or you're just quoting out of context to sensationalise):
  For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.
  
  And that's where my co-workers heard the cry of "You dumb motherfuckers".
  It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.
Re:Fanboy Bullshit at it's Finest. by Planesdragon · 2007-10-11 16:14 · Score: 4, Insightful

You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

Psst. Netscape is not a competitor to Windows. Never was.

MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?

BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.