Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Flip-Flops On URI Protocol Handing Flaw

Posted by kdawson on from the so-it's-a-bug dept.

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

88 of 126 comments (clear)

  1. like a dervish, they are by User+956 · · Score: 4, Funny

    After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability

    If it took them that many months, it sounds like they did a 1260.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:like a dervish, they are by ricebowl · · Score: 4, Funny

      If it took them that many months, it sounds like they did a 1260.

      And here I'm still saving to buy the 360...

      Sigh...

    2. Re:like a dervish, they are by mrbluze · · Score: 1

      Maybe it took them so long because they had to bug-fix the patch, so the replacement vulnerability won't be so easy for non-spooks to detect.

      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    3. Re:like a dervish, they are by ozmanjusri · · Score: 4, Funny

      Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...

      --
      "I've got more toys than Teruhisa Kitahara."
    4. Re:like a dervish, they are by rk076200 · · Score: 2, Funny

      Microsoft has finally accepted responsibility for its role in a security weakness that allows malicious websites to run harmful code on an end user's machine.

    5. Re:like a dervish, they are by Anonymous Coward · · Score: 1, Interesting

      True.

      But, you can still buy a disposable 360 once a monthfor five years, for less than half the price of a single PS3!

    6. Re:like a dervish, they are by ricebowl · · Score: 2, Funny

      Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...

      True enough, but will my glow-stick and cereal box be repaired under an extended warranty when it inevitably falls apart, or I add milk to the contents?

      I don't think Mr. Kelloggs will be forthcoming...

    7. Re:like a dervish, they are by dpiven · · Score: 1

      And it'll taste better, and be more nutritious!

    8. Re:like a dervish, they are by rinaazlin · · Score: 1

      even you buy 360, will the virus stop coming.. maybe not!

    9. Re:like a dervish, they are by davidsyes · · Score: 1

      What were they doing? Chanting runes, or calculating by an excel error?

      --
      Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
  2. Good. by Futurepower(R) · · Score: 5, Insightful

    Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."

    1. Re:Good. by Spy+der+Mann · · Score: 2, Insightful

      Now I wonder how many machines have now been zombified due to Microsoft's "little mistake". :-/

      Who's gonna be held accountable for that?

    2. Re:Good. by dedazo · · Score: 3, Informative

      No, it's not. Never was. They're fixing other applications (Firefox in this case), the way they hack their entire userspace to deal with application quirks and stupid use of undocumented structures and APIs that are not supported. But that's the price they ultimately have to pay for backwards compatibility - the reason they also still own 96% of the desktop.

      --
      Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
    3. Re:Good. by clsours · · Score: 3, Insightful

      No, no, no. Windows automagically does all kinds of crap. Especially with explorer, which for most intents and purposes is also Internet Explorer. Windows does many many things for the user that are 'nice', but really compromise security. With a culture of obfuscation-as-security and a growing codebase you HAVE to expect vulnerabilities.

      --
      Seagoon: Shut up Eccles!

      Eccles: Shut up Eccles!
    4. Re:Good. by Cassius+Corodes · · Score: 3, Funny

      Me. I'm gonna get a week's vacation docked.

      --
      Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
    5. Re:Good. by MadMidnightBomber · · Score: 5, Interesting

      Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.

      Be afraid. Be very afraid.

      [1] OB /. - or possibly to goatse

      --
      "It doesn't cost enough, and it makes too much sense."
    6. Re:Good. by JoelKatz · · Score: 1

      It's not. It's nice that they fixed it, but it wasn't there bug. Firefox, and other programs, were passing invalid URLs from untrusted sources to the operating system.

    7. Re:Good. by rk075906 · · Score: 1

      In a world without walls and fences - who needs windows and gates?!

  3. The Point: They're Still Missing It. by Tackhead · · Score: 5, Insightful
    From TFA:
    > For traditionally "safe" protocols like mailto: or http:

    And that's where my co-workers heard the cry of "You dumb motherfuckers".

    It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.

    While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

    If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.

    1. Re:The Point: They're Still Missing It. by drsmithy · · Score: 4, Insightful

      And that's where my co-workers heard the cry of "You dumb motherfuckers".

      Maybe you should have kept reading (or you're just quoting out of context to sensationalise):

      For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

      And that's where my co-workers heard the cry of "You dumb motherfuckers".

      It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

    2. Re:The Point: They're Still Missing It. by Alwin+Henseler · · Score: 3, Insightful

      While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.

      Which is really ridiculous, that normal users have come to expect (or should expect) that there are exploit-ridden websites which you should never visit, or else your system may get exploited and spyware/other crap gets installed behind the user's back.

      One could pass a web-server ANYTHING as a URI, and the server basically returns you a 'page', consisting of a number of elements which are then rendered for your viewing pleasure. From a conceptual point of view, that's pretty much a READ action, and (imho) users should not be wrong to think this is always safe, and has no chance of screwing up your system. That this is not true in real life doesn't mean users behave unwise or stupid, but that current popular OS'es are BROKEN. Regardless of where in those OS'es (or the applications on it) the cause lies.

      Now, for another point of view on these URI handling troubles: a) there exist malformed URI's, and b) pretty much everyone agrees they should not fsck up your system, but simply be handled. Either 'fixed' to be a valid URI, or simply be rejected as invalid. Now if you need to fix it anyway, where would be the best place to do so? In every application that handles URI's, or in 1 place where all those URI's pass through at some point in time anyway? Apart from the question of whether it would be the OS'es responsibility, I'd say inside the OS would be the easiest place to fix the 'malformed URI' problem as a whole. Also, if the OS isn't bothered by a malformed URI, and just returns an error to indicate the problem, applications (and through them) users are informed of that fact. Which would tell a user that a site he's browsing is either trying to screw him, hijack his system, or that the site maintainers are incompetent.

      If the OS doesn't accept malformed URI's period, then the system as a whole becomes safer to use, regardless of whether applications do their own URI validation or not. So fixing this in the Windows URI handler would seem like the most general, AND the easiest way to prevent malformed URI from doing any damage.

      Apart from that I think the article was well written and reasoned, claiming that input validation is really a shared responsibility, that both OS vendors AND 3rd party application developers should care about.

    3. Re:The Point: They're Still Missing It. by plover · · Score: 1

      It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.

      Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

      For traditionally "safe" protocols like mailto: or http: [human] application [writer]s often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.

      At that point, it reads more like this: "The application developers I know traditionally consider the protocols mailto: and http: to be "safe", and therefore don't need to bother sanitizing the URIs before foisting the heavy lifting off on ShellExecute()." In that context it's clearly the blind presumption of safety on the part of the developers that's the real problem.

      Not that it would make me go screaming about mentally deficient Oedipal fornicators ...

      --
      John
    4. Re:The Point: They're Still Missing It. by Beryllium+Sphere(tm) · · Score: 3, Insightful

      More insight into how Microsoft thinks about these things at Larry Osterman's blog.

      Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.

    5. Re:The Point: They're Still Missing It. by drsmithy · · Score: 1

      Umm...no. Your interpretation, while literal, doesn't parse because applications have neither traditions nor opinions on safety, nor do they write themselves. When you expand the original sentence's subject appropriately, it reads like this:

      And when you expand my sentence appropriately, you get:

      It's pretty clear from context that the implication is other applications [' developers] consider those prefixes as "traditionally safe", and not that [the average] Microsoft [developer] does.

      At that point, it reads more like this: "The application developers I know traditionally consider the protocols mailto: and http: to be "safe", and therefore don't need to bother sanitizing the URIs before foisting the heavy lifting off on ShellExecute()." In that context it's clearly the blind presumption of safety on the part of the developers that's the real problem.

      More like "the application developers we have experience in dealing with - having expended massive amounts of our resources over the last 2+ decades to rectify or work around their mistakes - traditionally consider the protocols mailto: and http: to be "safe" and therefore don't need to bother sanitizing the URIs before foisting the heavy lifting off on ShellExecute(). These are the same idiots who do thing like try and store runtime data in system directories." This is especially true when you consider that "Chen" probably refers to Raymond Chen, who's been helping Windows work around developer stupidity for a very long time.

  4. Damn you, Microsoft. by Jugalator · · Score: 1, Insightful

    Damn Microsoft for doing a 180 and making ShellExecute() be more strict about URI's. Damn you Microsoft for fixing that bug now, when you didn't fix it before. You should have kept with this and not fixed it. Or something. :-)

    --
    Beware: In C++, your friends can see your privates!
    1. Re:Damn you, Microsoft. by fbjon · · Score: 1

      That would be point one then.

      --
      True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
  5. The "New" Microsoft by Propaganda13 · · Score: 2, Funny

    After being criticized about security, Microsoft has taken additional steps to shorten the time between when they advise a customer of a vulnerability and when it is fixed. Ballmer stated "This is a win for both the customer and Microsoft."

  6. Simple by Vlaadimir · · Score: 4, Interesting

    If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.

    1. Re:Simple by micheas · · Score: 1

      If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.


      That would work if you didn't have to make an exception for the Outlook Web Access Client for exchange. That has all sorts of invalid URL's in it that should never be accepted by a web browser.

      Worst thing Netscape and Microsoft ever did is allow their browsers to render invalid html instead of throwing an error.
      --
      Work bio at MMWD
    2. Re:Simple by plague3106 · · Score: 1

      Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..

    3. Re:Simple by Vlaadimir · · Score: 1

      I think this has more to do with Microsoft trying to gain the high ground by saying that we validate our input before passing it to third party applications. Where validating user input, really is a good thing is not always easy.

    4. Re:Simple by micheas · · Score: 1

      Ok, I'll bite. What "invalid" urls are in exchangeweb? Before you answer, remember I DO have exchange web on my server..


      I cannot remember what the issue is exactly but it has (had? I have been mercifully spared from exchange 2005) to do with % signs in email subjects or file names.
      --
      Work bio at MMWD
    5. Re:Simple by 10101001+10101001 · · Score: 1

      ...then other browsers...

      IE isn't a web browser. It's a quasi-web browser. The second Microsoft chose to leverage non-standard features in disregard to how it would cripple the platform-independent design of the web, IE became a quasi-web browser. Of course, one could argue that most "web browsers" fall into that category (Netscape, Firefox, Opera, etc all adding-on Java, Flash plug-ins, etc). At that point, though, one can rational argue that each quasi-web browser falls into its own category, so there's no reasonable expectation that they should all manditoraly copy each other. I mean, IE includes Active X and "Zones". Should Firefox and Opera include those too?

      Of course, the proper answer might be to just, you know, stop supporting external uri handlers (ie, ones one can't fix/validate). But that's based upon the assumption that security should trump functionality.

      --
      Eurohacker European paranoia, gun rights, and h
    6. Re:Simple by plague3106 · · Score: 1

      hmm, i'll have to check that out. I've seen % signs, but they should be there... %27 replaces ' IIRC, whcih is the proper escaping.

  7. My Flaw by The+Living+Fractal · · Score: 1

    I have a "handing" flaw. A protocol has a "handling" flaw.

    My flaw is much more personal ;p

    --
    I do not respond to cowards. Especially anonymous ones.
  8. Pay attention by Anonymous Coward · · Score: 5, Informative

    You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.

    1. Re:Pay attention by Alwin+Henseler · · Score: 5, Interesting

      There were two flaws: One in Firefox, one in ShellExecute. Excellent point.

      Microsoft cannot and did not fix the flaw in Firefox (..) Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).

      Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)

    2. Re:Pay attention by suv4x4 · · Score: 2, Insightful

      Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, a [...] Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox

      So uhmm what was the point of this post at all? Anyone in Microsoft's position wouldn't want to fix their competitors' software, it being OSS or not.

      Firefox isn't just a browser competing to IE on Windows. It's a browser on Windows that works the same on Mac and Linux. That's horrible for MS as the browser becomes the most important application ever to be had on an OS.

    3. Re:Pay attention by nsebban · · Score: 1

      I'm very curious about the way the community would react if Microsoft provided a patch to an open-source app, just like they could have done in this case.

      --
      ____
      nico
      Nico-Live
  9. Firefox? by Erris · · Score: 1, Troll

    They're fixing other applications (Firefox in this case)

    Did you really say and believe that? Congratulations, you have outdone M$ themselves. Let's review:

    • the problem happened if you installed IE7, not before.
    • M$ has just admitted their mistaken way of dealing with urls in XP and 2003.

    How is that Firefox again? Yes, I saw in the recap where "MSRCTEAM" mentions their previous friendly blame cast, I mean "advice", to the Firefox team. Can you tell me how that intersects reality again?

    --
    DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
    1. Re:Firefox? by Anonymous Coward · · Score: 1, Informative

      Firefox installed the URL handler that was vulnerable. The fact that IE6 and IE7 treat URLs in different ways caused it not to be vulnerable under IE6.

      But it was still Firefox that installed the vulnerability. Without Firefox, NOTHING was vulnerable.

      So, yes, they're fixing Firefox's bug.

    2. Re:Firefox? by Kalriath · · Score: 4, Informative

      Well, actually, there are two issues being mentioned here. One, where Windows itself mishandles the URI. This is the one where a % symbol is included in the URI and ShellExecute stupidly tries to fix it (demons know how it manages to mangle it into an actual working executable path). The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done - often causing apps like Firefox, or Trillian, or whatever, to actually accept half the URI as command line parameters.

      The mistake made by the GP (and potentially yourself, as you refer to the "blame cast" with the Firefox team which from memory only occurred with the issue in June with a malicious URIs terminating the quoted string and including Chrome parameters) is that they assume the second option is the one which is being fixed. It is not. This will potentially still be a problem if applications don't continue to validate their URIs appropriately, as Windows doesn't know exactly what your application does to escape quotes.

      One of these is a vulnerability. The other is third party applications violating a basic tenet of development (no input is trusted).

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    3. Re:Firefox? by ozmanjusri · · Score: 3, Informative
      Without Firefox, NOTHING was vulnerable.

      Rubbish.

      There's a whole shopping list of apps, including IE7 itself that were exposed to this vulnerability. Firefox was just the first to be accused.

      Microsoft's only changed it's tune because Adobe's on the case with the Acrobat vulnerability. It's one thing to force a FOSS competitor to unnecessarily patch, but they'll have no luck with trying to force Adobe to fix every PDF reader out there.

      --
      "I've got more toys than Teruhisa Kitahara."
    4. Re:Firefox? by Anonymous Coward · · Score: 2, Informative

      The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done

      OK, let's break down the steps to executing a program here. Now, I know Microsoft has their way of doing it, but really, it's exactly the same fucking thing with the same fucking array of arguments as parameters to the main function.

      1) program A decides it wants to run program B with some arguments
      2) program A assembles the argument list, and selects a member of the exec*() family to call
      3) program A executes program B with the arguments that A prepared.

      It's not the receiving program's responsibility to try and reassemble its arguments to figure out what the calling program actually meant to pass in, well unless your program runs on Windows, I guess. "Escaping of quotes" is supposed to have already been taken care of by the time the first line of code in main(argc,argv) executes and wants to see what it got in argv[1]. But hey, I'm sure you have a really good reason why the OS is capable of dealing with quoted arguments correctly when I type "C:\Program Files\Somewhere" but can't be bothered to handle it correctly specifically when parsing a URL that explains exactly how it is not the URL parser that is broken?

    5. Re:Firefox? by Kalriath · · Score: 1

      Well, here's the thing:

      What's exec()? Windows has ShellExecute(). ShellExecute for parameters accepts a single blind string. With this string, it passes it straight to an app to decide how it wants to interpret it. In your example, it's because it doesn't need to escape quotes to open "C:\Program Files\Somewhere" - which is good, because it has no idea how your application escapes quotes anyway. Does it use C syntax? Does it use BASIC syntax? Does it use Pascal syntax? Since it doesn't know these, it cannot escape your URL. As a result, you shouldn't be writing applications that expect it to.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    6. Re:Firefox? by ozmanjusri · · Score: 2, Interesting
      "M$" has modified the way it works, which does not mean it's "mistaken".

      Yes it does.

      This is from the Technet mea culpa blog posting by MSRC's Jonathan.

      With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed. Spin the facts as much as you like here, but anyone with a clue knows it is Microsoft's vulnerability. That's why they're the only ones who can fix it.
      --
      "I've got more toys than Teruhisa Kitahara."
    7. Re:Firefox? by dedazo · · Score: 1
      I wasn't referring to the vulnerability in shell32 itself, but to the way applications handle escape quotes in URIs passed to registered handlers like "chrome://".

      Most people (yourself included, apparently) don't understand that this is a two-way street. Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them. But then it's so much fun to spin that part, isn't it?

      --
      Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
    8. Re:Firefox? by ozmanjusri · · Score: 1
      Microsoft can fix errors in their code, but they can do fuck all about what Firefox or Adobe Reader do with the input passed to them.

      Which platforms does this vulnerability exist on?

      Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed?

      Your bosses have accepted it's their problem. Why don't you?

      --
      "I've got more toys than Teruhisa Kitahara."
    9. Re:Firefox? by HeroreV · · Score: 2, Insightful

      If Internet Explorer was sending Firefox a valid URL, it wouldn't have to worry about escaping anything. Valid URLs don't contain whitespace, quotation marks, backslashes, or anything else that would need to be escaped. Why should Firefox expect to receive malformed URLs?

    10. Re:Firefox? by dedazo · · Score: 1

      Your bosses have accepted it's their problem.

      Ooooh, that's so clever. Well, that does it for me. I won't bother you anymore, since surely there are other minions of the evil empire you must do battle with?

      Good luck!

      --
      Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
    11. Re:Firefox? by houseofzeus · · Score: 1

      Ok, say Microsoft did decide to handle that and validate the http protocol URI's. What about the umpteen other URI types that can be exploited in the same manner? Would you expect Microsoft to work out what constitutes 'valid' for each of these too (many of which may well be wholely and solely products of 3rd party vendors)? Or would you expect that they just handle the common ones like http? If the later then who gets to decide what is common or valid, and who is to blame later on when third party X changes what is 'valid' for a given URI type?

    12. Re:Firefox? by Random832 · · Score: 1

      which is good, because it has no idea how your application escapes quotes anyway. Well, for a filename (your "C:\Program Files\somewhere" example is not a URL), this issue is mitigated by the fact that filenames cannot contain quotes.

      It would not, though, be out of line for applications passing URLs into shellexec to escape quotes (at the very least, double quotes) with URI escaping syntax, in order to guarantee that _they_ do not contain quotes. They should already be escaping spaces, anyway, so this shouldn't have happened regardless
      --
      We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
    13. Re:Firefox? by Macthorpe · · Score: 1

      Why aren't Firefox, mIRC, Adobe Acrobat, Outlook Express, Outlook 2000 and others vulnerable when they're installed on Linux? On Windows without IE7? On a Mac? Why didn't the vulnerability exist until IE7 was installed? Well, if you didn't have a computer, then it wouldn't be a problem at all, so I guess it's Charles Babbage's fault. Then again, if he wasn't born, it still wouldn't have happened, so it's his parents fault. I guess also if the Earth didn't exist, then it's the fault of either your chosen deity or science, depending.

      Just because a problem can't exist without something else, it doesn't mean it's their fault. Here we go, car analogy - someone smashes into the side of your car and injures you. Once out of hospital, you go to the garage and get the sides reinforced so that a future impact there can't hurt you. Just because you've taken the time to fix the possibility of someone injuring you, does it mean it's any less someone else's fault that they smashed into you? No. The "OMG M$ IS FIXING IT SO THEY'RE ADMITTING FAULT" argument is completely spurious.

      Anyone confused with the issue needs to read the MSRC blog. There are two issues here.

      Fault 1: Programs are receiving malformed URIs and instead of handling them, throwing up strings that they then send to ShellExecute(). Microsoft can't block these because there are other programs that use those handlers legitimately.

      Fault 2: This is the result of the difference you're seeing. IE7 and Vista have URI verification in place to stop this kind of attack happening, XP and earlier do not. IE7 checks the handler - however the presence of the % sign means that IE7 tries to fix it, fails, then passes it onto ShellExecute() to fix. On Vista, it's rejected, but on XP the handler isn't as good - so malformed handlers occasionally slip through the net.

      The second fault is what they're fixing, not the vulnerability in Firefox. If the tightening of the handlers for IE7 and XP/2003 does fix the 3rd party handler problem, great, but that doesn't make it Microsoft's fault.

      In a final note I know it's tough when people don't agree with you, but it's sad to assume that they don't agree with you because they're being paid to do it. You're just not that important.
      --
      "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
    14. Re:Firefox? by I'm+Don+Giovanni · · Score: 1

      What if a user opened cmd.exe and executed "Firefox ". Is cmd.exe supposed to clean up the command line before passing it to Firefox? It's up to apps themselves to parse and validate whatever is passed as the command line. This is programming 101 stuff.

      --
      -- "I never gave these stories much credence." - HAL 9000
    15. Re:Firefox? by g1zmo · · Score: 1

      Software Development Rule #7:

      Be liberal in what you accept and strict in what you emit.

      --
      I have found there are just two ways to go.
      It all comes down to livin' fast or dyin' slow.       -REK, Jr.
    16. Re:Firefox? by houseofzeus · · Score: 1

      If it were as simple as just applying the RFC for generic URIs this would never have snowballed the way it has. The point is that 3rd party applications can still be and will continue to be vulnerable in this manner if they don't validate URI's from untrusted sources. I suspect the reason URIs were left unvalidated by ShellExec in the first place may have been that if you put generic validation there 3rd parties could well get lazy and fail to do their own further validation (with the additional context of whatever URI type they are specifically interested in), which as it turns out is what many fail to do anyway.

      Even if ShellExec is extended to validate URIs under the generic spec (which from my read of the provided articles looks like what MS are doing) what is valid in a generic sense may still be just as invalid (or even in some cases dangerous) given the contect of a specific URI type.

    17. Re:Firefox? by rk075906 · · Score: 1

      Is Windows a virus? No, Windows is not a virus. Here's what viruses do: 1. They replicate quickly - okay, Windows does that. 2. Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that. 3. Viruses will, from time to time, trash your hard disk - okay, Windows does that too. 4. Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too. 5. Viruses will occasionally make the user suspect their system is too slow (see 2.) and the user will buy new hardware. Yup, that's with Windows, too. Until now it seems Windows is a virus but there are fundamental differences: Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature. So Windows is not a virus. It's a bug.

  10. Re:In Vista it doesn't even act properly by plague3106 · · Score: 1

    Hmm.. I happen to have Vista Ultimate, and Office 2007. I just clicked a link in Outlook and it opened FF just fine even though FF wasn't already open. How do you reproduce the error you describe?

  11. Nothing new here by GodfatherofSoul · · Score: 1, Interesting

    Microsoft is a pain when it comes to protocols. If they have a bug, unless it blows up Fortune 500 servers they put the burden on you to work around them. I wrote a HTTP proxy client lib a while back that ran with no problems for months/years until Microsoft got into our market. "But the RFC says..." means jack to your clients when their deployment is bombing out on transactions.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
    1. Re:Nothing new here by rs79 · · Score: 1

      "But the RFC says..."

      Welcome to reality. If you made a mail daemon that worked according to spec nobody would be able to use it.

      If you saw the errors in SSL browsers ignoered just to they look like they're working you'd shit.

      --
      Need Mercedes parts ?
  12. Re:In Vista it doesn't even act properly by plague3106 · · Score: 1

    Hmm, I'm on the 32-bit OS. Maybe it was fixed in a recent update?

  13. Did the submitter read the links they included? by Keeper · · Score: 4, Informative

    There are two "bugs" being talked about.

    1) an exploit in firefox URI protocol handler
    2) an exploit related to how explorer handles rejected URIs from IE7 on XP/Win2k3

    Apparently the submitter isn't able to differentiate #2 from #1.

    The advisory is for item #2. Item #2 is going to get fixed. The advisory does not cover item #1. Item #1 will need to be fixed in the protocol handler itself.

    1. Re:Did the submitter read the links they included? by Random832 · · Score: 2, Informative

      And while we're here, can anyone explain why the firefoxurl handler exists at all? Though these are url handler keys instead of programs, imagine that firefoxurl is the real binary, and firefox sets up http, ftp, and so on, as symlinks to it. It can't put the real handler at 'http', since that could be overwritten by IE if someone opens IE and checks "make this my default web browser".
      --
      We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
  14. Summary is wrong by HappyUserPerson · · Score: 1
    From the MSRC blog post (linked in the summary):

    While we might have been able to make changes in some Windows APIs to block these attacks, doing so could break how the 3rd party applications intended those protocol handlers to function. As a result, we recommend that the owners of the applications themselves address the potential issues since they understand their code the best. For example, application protocol handler authors must take special care to validate every argument which is passed in on the command line.

    The parameter handling is not being modified to prevent applications from receiving potentially malformed URLs as command line parameters. It remains the responsibility of the applications which handle URLs to properly parse their own command line parameters and to set up the applications protocol handler in a way that does not cause the application to be a vector of attack (for example, 'firefox.exe "%1"' might be a problem). The flaw that is being fixed has to do with improper handling of some protocols (http, mailto) on XP/2003 with IE7 installed, which has nothing to do with custom protocol handlers.

    The MSRC post was meant to clarify the issue. Sadly, it seems that the substance of the post is ignored and misinformation prevails.

  15. Re:From one side of the mouth, then the other by Gary+W.+Longsine · · Score: 1

    Even though the parent forgot, "... and blame the developers of third party applications..." it was otherwise accurate, if blunt. The Troll mod is unfair. Mod, you will be punished in meta-mod land.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  16. Re:Fanboy Bullshit at it's Finest. by Planesdragon · · Score: 4, Insightful


    You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

    Psst. Netscape is not a competitor to Windows. Never was.

    MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?

    BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.

  17. Re:Fanboy Bullshit at it's Finest. by absoluteflatness · · Score: 2, Insightful

    Psst. Netscape is not a competitor to Windows. Never was...
    MS cripples themselves when they try and lean on Windows...

    Well, the grandparent never said that Netscape was a competitor to Windows, but it sure was a competitor with Internet Explorer. Considering that Internet Explorer completely crushed Netscape due to it being free and bundled with Windows (and, eventually, a better product), I think that Microsoft's plan of leaning on their Windows dominance to sell their other products seems like a pretty successful one. Of course, of these, only IE is "bundled". For Office and Visual Studio, it's really a two-way street. People get Office or VS because they're the de-facto standard on Windows, then they stay with Windows so they can keep the same office suite/IDE.

    They seemed to "cripple" themselves with the decaying quality of IE before the release of version 7, but really, it's a consequence of how they dominated the market so effectively. When there's no real competition, why bother innovating? If anything, Microsoft's business model sometimes works too well for their own good.

  18. Re:Fanboy Bullshit at it's Finest. by durin · · Score: 1

    Microsoft is doing something right

    Unfortunately, the thing they're doing right is wrong (they're a monopoly, remember?)

    --
    Why, yes! I AM new here.
  19. Whole thing reminds me of PHP XSS attacks... by LingNoi · · Score: 1

    Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP.

    This is the exact same situation. There are problems with un-escaped data and Microsoft doesn't want to bother much like the PHP team did before they changed their minds about the situation.

    The only difference here is the way the code executes. I personally think it's not Microsoft's fault but they should fix it anyway. If they're that freaked out about backwards compatibility then just have an "on" or "off" switch in the registry so for the 0.1% of people that need it to stay the same have that option, but the vast majority are covered.

    1. Re:Whole thing reminds me of PHP XSS attacks... by Random832 · · Score: 1

      Is it PHP's fault that people don't escape their data before executing MySQL statements? No. Still it's such a wide problem that PHP is now going to escape all data in later versions of PHP. wtf does "escape all data" even mean? Data coming out of the database gets escaped? Data read in from files? Contents of string literals? Arguments to "echo"? How does it know whether to escape for SQL, for HTML [&lt; etc], or for something else? magic? You put "XSS" in the subject line, yet talk about MySQL in the body, which have nothing to do with each other (hint: XSS attacks are usually caused when you actually WANT the other person to be able to write HTML generally, but fail to prevent them from adding script tags. "escaping all data", if you mean HTML escaping, will turn all their legitimate HTML tags into "escaped" <b> etc.)
      --
      We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
    2. Re:Whole thing reminds me of PHP XSS attacks... by Limburgher · · Score: 1

      No, XSS != SQL injection. SQL injection is more relevant here, and to prevent it, you escape any data you didn't generate yourself before using it in any way with an SQL query. Even if that data came from the database.

      See www.php.net and look up mysql_real_escape_string() and pg_escape_string(). There are other functions for other purposes, but proper use of one of these two will save you lots of pain.

      --

      You are not the customer.

    3. Re:Whole thing reminds me of PHP XSS attacks... by Random832 · · Score: 1

      Yeah, but the GP suggested that the next version of PHP will "automatically escape all data", thus magically preventing both sql injections AND xss.

      --
      We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
  20. OT: Your last blog entry by dylan_- · · Score: 1

    Font sizes are in points. They won't be the correct size if your display size isn't being picked up correctly, which sounds likely. Try setting DisplaySize in your xorg.conf and see if it makes a difference. Remember to make a backup copy first, so you can just copy it back in play if something screws up.

    --
    Igor Presnyakov stole my hat
  21. Re:Fanboy Bullshit at it's Finest. by houseofzeus · · Score: 2, Insightful

    Being a monopoly is not, in itself, illegal.

  22. "Flip-Flops"? by Mode_Locrian · · Score: 1

    I'm quite aware that this is completely off-topic, but "Flip-Flops"? This locution, imported from contemporary political discourse, no doubt, irritates me to no end. Why not just say what you mean--namely: "changes its (or, in the case of persons, his/her) mind"? Or is this neologism supposed to mean something else that I'm not aware of (I doubt it, but who knows)?

    1. Re:"Flip-Flops"? by Lord+Bitman · · Score: 1

      The phrase "flip-flops" officially died the first time one pundit quoted another by using it without attributing the source. Same with quagmire. These are now gone from the English language. Please do not use them.

      --
      -- 'The' Lord and Master Bitman On High, Master Of All
  23. Only a problem if you omit the http: by giafly · · Score: 2, Informative

    Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'.
    Now visit www.slashdot.org in IE.
    Visiting www.slashdot.org is broken
    Visiting http://www.slashdot.org/ works fine

    IE seems to store the http: in favorites etc., so it's not much of a problem.
    Also it doesn't affect Firefox so almost nobody will notice.
    --
    Reduce, reuse, cycle
    1. Re:Only a problem if you omit the http: by mrRay720 · · Score: 2, Informative

      Actually this sounds like expected behaviour. www.slashdot.org isn't a valid address, people are just used to the user-friendly auto-appending of http://./

      www.slashdot.org is the name of a file in a location that IE searches for named shortcuts.

      What IE is doing in this case is preferring an exact match over an autoguess.

      The only arguement here is if IE should be searching the desktop for URL shortcuts, and considering how many people use their desktop in lieu of the favourites menu, I don't think that it's an unreasonable feature.

      If you want to go to http://www.slashdot.org/ - type that in. Leave room for the software to guess, and well, it will guess.

  24. It's a philosophical bug nonetheless.. by zukinux · · Score: 1

    If program A and program B are installed, and while the user uses program A (Internet Explorer) and a specific bug causes that if program B (firefox) is installed and the user is currently using program A, malicious user can cause program A to pass parameters which will not be checked on program B.

    So who is guilty? Program A for allowing to pass those parameters? or Program B which doesn't sanitize input from other programs?
    I'd say, both.

    --
    Read and Comment at my BLOG
    !!!
  25. Re:Fanboy Bullshit at it's Finest. by fork_daemon · · Score: 1

    Being a monopoly is not, in itself, illegal. It isn't illegal, but it leads to illegal behaviour. Remember the buying the vote for OOXML story?
  26. Hmmm.... and I was modded as Troll by foniksonik · · Score: 1

    I just stated this on the Adobe vulnerability story.... clickie to see the irony

    My post:

    "Is it really an Adobe vulnerability? Seems more like it's an IE vulnerability that has been blame-shifted to whoever writes the plugins that might expose it for what it is."

    Replies:

    "From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source."

    Methinks some credit is due.... or maybe more troll mods? it is /.

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  27. What, me worry? by angus_rg · · Score: 1

    Is anyone surprised that a big business swears there is no problem until they have a solution.

    1. Re:What, me worry? by TT076659 · · Score: 1

      A company says "We offer the best in security to ensure the protection of your business without any problems".

      Few weeks later..

      The company says "We have discovered an issue with bla bla bla, please visit bla bla bla to get the update".

  28. The terms `flip-flop` and `Microsoft` together? by octaene · · Score: 1

    Usually, the terms `flip-flop` and `Microsoft` together in a sentence bring out the MS-bashers and Linux advocates. But to be frank, this is a good thing for Microsoft to do. Their previous argument was pretty solid, because how are Microsoft to anticipate each and every URL registration made by a third-party application writer? Answer: they can't.

    So by now admitting to plans to write a more strict handling routine for the shell URI interpreter, Microsoft is not kowtowing to pressure from the free market (IMHO), but actually taking a step towards better security.

    Microsoft fanboiz or not, that's what we all want, right?

  29. Re:Fanboy Bullshit at it's Finest. by houseofzeus · · Score: 1

    Indeed, many people seem to mistakenly believe the former though, which is my gripe.

  30. Re:Microsoft has been a destroyer of standards... by SL+Baur · · Score: 1

    Microsoft has been a destroyer of standards, rather than a builder of standards. You must be new here. They're only doing what titans in the computer industry have done in the past. IBM (with OS 360), DEC (with VMS), etc.

    Standards have traditionally been whoever has the largest market share. They may change from vendor to vendor, but it has always been this way. Always.

    Sigh. When I went through college, there were no computer majors, but now it definitely seems time that there should be computer history majors ...
  31. Where's the logic? by Futurepower(R) · · Score: 1

    You seem to be saying that abuse is okay of someone has done that kind of abuse before.

  32. Re:Fanboy Bullshit at it's Finest. by pyrr · · Score: 1

    Just a quick point. UNIX=!free and it predates Microsoft operating systems by a pretty substantial span of time, and it's not a consumer desktop OS. BeOS=!free and kind of had a dearth of software developed for its platform OS|2=!free and it's basically a fork of NT from when IBM & Microsoft decided to take their respective marbles and go home when their collaboration fell apart. IBM didn't market it anywhere near as aggressively as Microsoft marketed NT. Mac=!free and the hardware has typically carried a ludicrously high price tag, while the selection of software is on the sparse side (most comp stores I've been in have the usual half-dozen full aisles of Win-PC software, to one-half of an aisle dedicated to Mac software). Linux=free, but its day isn't over yet. It's getting closer to that asymptote of "being ready for the consumer desktop", which is where folks like Shuttleworth want it to be, and if Canoical was to get more aggressive in marketing k/ubuntu to the masses, who knows what could happen? Percent by meager fraction of a percent, whatever market share ubuntu has today was achieved at what's probably a negligible cost-per-percent compared to the billions of marketing dollars Microsoft has spent hollowing-out a solid foothold in the marketplace over the past 20+ years. That's if you consider services like Shipit to be "advertising". Any estimates as to how much Microsoft spent trying to convince the public to buy Vista over the past year? And what's its overall market share is? I have my doubts that its shareholders like to think about such things...