Slashdot Mirror
Microsoft Flip-Flops On URI Protocol Handing Flaw
a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."
After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability
If it took them that many months, it sounds like they did a 1260.
The theory of relativity doesn't work right in Arkansas.
Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."
> For traditionally "safe" protocols like mailto: or http:
And that's where my co-workers heard the cry of "You dumb motherfuckers".
It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.
While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.
If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.
After being criticized about security, Microsoft has taken additional steps to shorten the time between when they advise a customer of a vulnerability and when it is fixed. Ballmer stated "This is a win for both the customer and Microsoft."
If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.
You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.
Well, actually, there are two issues being mentioned here. One, where Windows itself mishandles the URI. This is the one where a % symbol is included in the URI and ShellExecute stupidly tries to fix it (demons know how it manages to mangle it into an actual working executable path). The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done - often causing apps like Firefox, or Trillian, or whatever, to actually accept half the URI as command line parameters.
The mistake made by the GP (and potentially yourself, as you refer to the "blame cast" with the Firefox team which from memory only occurred with the issue in June with a malicious URIs terminating the quoted string and including Chrome parameters) is that they assume the second option is the one which is being fixed. It is not. This will potentially still be a problem if applications don't continue to validate their URIs appropriately, as Windows doesn't know exactly what your application does to escape quotes.
One of these is a vulnerability. The other is third party applications violating a basic tenet of development (no input is trusted).
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Rubbish.
There's a whole shopping list of apps, including IE7 itself that were exposed to this vulnerability. Firefox was just the first to be accused.
Microsoft's only changed it's tune because Adobe's on the case with the Acrobat vulnerability. It's one thing to force a FOSS competitor to unnecessarily patch, but they'll have no luck with trying to force Adobe to fix every PDF reader out there.
"I've got more toys than Teruhisa Kitahara."
The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done
OK, let's break down the steps to executing a program here. Now, I know Microsoft has their way of doing it, but really, it's exactly the same fucking thing with the same fucking array of arguments as parameters to the main function.
1) program A decides it wants to run program B with some arguments
2) program A assembles the argument list, and selects a member of the exec*() family to call
3) program A executes program B with the arguments that A prepared.
It's not the receiving program's responsibility to try and reassemble its arguments to figure out what the calling program actually meant to pass in, well unless your program runs on Windows, I guess. "Escaping of quotes" is supposed to have already been taken care of by the time the first line of code in main(argc,argv) executes and wants to see what it got in argv[1]. But hey, I'm sure you have a really good reason why the OS is capable of dealing with quoted arguments correctly when I type "C:\Program Files\Somewhere" but can't be bothered to handle it correctly specifically when parsing a URL that explains exactly how it is not the URL parser that is broken?
There are two "bugs" being talked about.
1) an exploit in firefox URI protocol handler
2) an exploit related to how explorer handles rejected URIs from IE7 on XP/Win2k3
Apparently the submitter isn't able to differentiate #2 from #1.
The advisory is for item #2. Item #2 is going to get fixed. The advisory does not cover item #1. Item #1 will need to be fixed in the protocol handler itself.
You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.
Psst. Netscape is not a competitor to Windows. Never was.
MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?
BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.
Yes it does.
This is from the Technet mea culpa blog posting by MSRC's Jonathan.
With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed. Spin the facts as much as you like here, but anyone with a clue knows it is Microsoft's vulnerability. That's why they're the only ones who can fix it."I've got more toys than Teruhisa Kitahara."
MS cripples themselves when they try and lean on Windows...
Well, the grandparent never said that Netscape was a competitor to Windows, but it sure was a competitor with Internet Explorer. Considering that Internet Explorer completely crushed Netscape due to it being free and bundled with Windows (and, eventually, a better product), I think that Microsoft's plan of leaning on their Windows dominance to sell their other products seems like a pretty successful one. Of course, of these, only IE is "bundled". For Office and Visual Studio, it's really a two-way street. People get Office or VS because they're the de-facto standard on Windows, then they stay with Windows so they can keep the same office suite/IDE.
They seemed to "cripple" themselves with the decaying quality of IE before the release of version 7, but really, it's a consequence of how they dominated the market so effectively. When there's no real competition, why bother innovating? If anything, Microsoft's business model sometimes works too well for their own good.
If Internet Explorer was sending Firefox a valid URL, it wouldn't have to worry about escaping anything. Valid URLs don't contain whitespace, quotation marks, backslashes, or anything else that would need to be escaped. Why should Firefox expect to receive malformed URLs?
Being a monopoly is not, in itself, illegal.
Visiting http://www.slashdot.org/ works fine
IE seems to store the http: in favorites etc., so it's not much of a problem.
Also it doesn't affect Firefox so almost nobody will notice.
Reduce, reuse, cycle