Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Flip-Flops On URI Protocol Handing Flaw

Posted by kdawson on from the so-it's-a-bug dept.

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

7 of 126 comments (clear)

  1. Simple by Vlaadimir · · Score: 4, Interesting

    If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

  2. In Vista it doesn't even act properly by postmortem · · Score: 0, Interesting

    When Firefox is default browser, state-of-the-art Microsoft Office 2007 can't open link when clicked upon without error - every time it is same story (fatal error! with red X and appropriate sound) if Firefox is not already opened.

  3. Nothing new here by GodfatherofSoul · · Score: 1, Interesting

    Microsoft is a pain when it comes to protocols. If they have a bug, unless it blows up Fortune 500 servers they put the burden on you to work around them. I wrote a HTTP proxy client lib a while back that ran with no problems for months/years until Microsoft got into our market. "But the RFC says..." means jack to your clients when their deployment is bombing out on transactions.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  4. Re:Pay attention by Alwin+Henseler · · Score: 5, Interesting

    There were two flaws: One in Firefox, one in ShellExecute. Excellent point.

    Microsoft cannot and did not fix the flaw in Firefox (..) Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).

    Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)

  5. Re:Firefox? by ozmanjusri · · Score: 2, Interesting
    "M$" has modified the way it works, which does not mean it's "mistaken".

    Yes it does.

    This is from the Technet mea culpa blog posting by MSRC's Jonathan.

    With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed. Spin the facts as much as you like here, but anyone with a clue knows it is Microsoft's vulnerability. That's why they're the only ones who can fix it.
    --
    "I've got more toys than Teruhisa Kitahara."
  6. Re:Good. by MadMidnightBomber · · Score: 5, Interesting

    Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.

    Be afraid. Be very afraid.

    [1] OB /. - or possibly to goatse

    --
    "It doesn't cost enough, and it makes too much sense."
  7. Re:like a dervish, they are by Anonymous Coward · · Score: 1, Interesting

    True.

    But, you can still buy a disposable 360 once a monthfor five years, for less than half the price of a single PS3!