Microsoft Flip-Flops On URI Protocol Handing Flaw

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

Good.

[Futurepower(R)]

Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."

The Point: They're Still Missing It.

[Tackhead]

From TFA:
> For traditionally "safe" protocols like mailto: or http:

And that's where my co-workers heard the cry of "You dumb motherfuckers".

It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.