Microsoft Flip-Flops On URI Protocol Handing Flaw

← Back to Stories (view on slashdot.org)

Microsoft Flip-Flops On URI Protocol Handing Flaw

Posted by kdawson on Thursday October 11, 2007 @11:46AM from the so-it's-a-bug dept.

a-twitter writes "After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability, announcing in a security advisory that a Windows update will be released to revise URI handling code within ShellExecute() to be more strict. The MSRC blog explains the background and offers more details on this issue."

19 of 126 comments (clear)

like a dervish, they are by User+956 · 2007-10-11 11:48 · Score: 4, Funny

After months of insisting there is nothing to patch, Microsoft has done a complete 180 on the URI protocol handling vulnerability

If it took them that many months, it sounds like they did a 1260.

--
The theory of relativity doesn't work right in Arkansas.
1. Re:like a dervish, they are by ricebowl · 2007-10-11 12:26 · Score: 4, Funny
  
  If it took them that many months, it sounds like they did a 1260.
  
  And here I'm still saving to buy the 360...
  
  Sigh...
2. Re:like a dervish, they are by ozmanjusri · 2007-10-11 13:50 · Score: 4, Funny
  
  Why don't you just twist a red glow-stick into a ring and glue it to the front of a cereal box? It'll work as well as most 360s do...
  
  --
  "I've got more toys than Teruhisa Kitahara."
Good. by Futurepower(R) · 2007-10-11 11:51 · Score: 5, Insightful

Now we won't have to read any more Slashdot comments that say, "It's not really Microsoft's problem."
1. Re:Good. by dedazo · 2007-10-11 11:55 · Score: 3, Informative
  
  No, it's not. Never was. They're fixing other applications (Firefox in this case), the way they hack their entire userspace to deal with application quirks and stupid use of undocumented structures and APIs that are not supported. But that's the price they ultimately have to pay for backwards compatibility - the reason they also still own 96% of the desktop.
  
  --
  Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
2. Re:Good. by clsours · 2007-10-11 12:36 · Score: 3, Insightful
  
  No, no, no. Windows automagically does all kinds of crap. Especially with explorer, which for most intents and purposes is also Internet Explorer. Windows does many many things for the user that are 'nice', but really compromise security. With a culture of obfuscation-as-security and a growing codebase you HAVE to expect vulnerabilities.
  
  --
  Seagoon: Shut up Eccles!
  
  Eccles: Shut up Eccles!
3. Re:Good. by Cassius+Corodes · 2007-10-11 13:07 · Score: 3, Funny
  
  Me. I'm gonna get a week's vacation docked.
  
  --
  Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
4. Re:Good. by MadMidnightBomber · 2007-10-11 20:03 · Score: 5, Interesting
  
  Create a shortcut on your desktop called 'www.slashdot.org' which points to 'www.bbc.co.uk'[1]. Now visit www.slashdot.org in IE.
  
  Be afraid. Be very afraid.
  
  [1] OB /. - or possibly to goatse
  
  --
  "It doesn't cost enough, and it makes too much sense."
The Point: They're Still Missing It. by Tackhead · 2007-10-11 11:56 · Score: 5, Insightful

From TFA:
> For traditionally "safe" protocols like mailto: or http:
And that's where my co-workers heard the cry of "You dumb motherfuckers".
It's been a few years since Microsoft boxes were out-of-the-box exploitable through anything other than rendering HTML content from either a web page or from within an email client.
While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.
If you're at Microsoft, and you still think of "http://" as "safe", you're still part of the problem, not part of the solution.
1. Re:The Point: They're Still Missing It. by drsmithy · 2007-10-11 13:09 · Score: 4, Insightful
  
  And that's where my co-workers heard the cry of "You dumb motherfuckers".
  Maybe you should have kept reading (or you're just quoting out of context to sensationalise):
  For traditionally "safe" protocols like mailto: or http: applications often just verify the prefix and then choose to call into the Windows shell32 function ShellExecute() to handle it.
  
  And that's where my co-workers heard the cry of "You dumb motherfuckers".
  It's pretty clear from context that the implication is other applications consider those prefixes as "traditionally safe", and not that Microsoft does.
2. Re:The Point: They're Still Missing It. by Alwin+Henseler · 2007-10-11 13:45 · Score: 3, Insightful
  
  While the planet is grateful for the lack of uPnP and DCOM/RPC worms of late, it also means that "things that have to do with email or web browsing" are among the least safe things you can ask a computer to do.
  Which is really ridiculous, that normal users have come to expect (or should expect) that there are exploit-ridden websites which you should never visit, or else your system may get exploited and spyware/other crap gets installed behind the user's back.
  
  One could pass a web-server ANYTHING as a URI, and the server basically returns you a 'page', consisting of a number of elements which are then rendered for your viewing pleasure. From a conceptual point of view, that's pretty much a READ action, and (imho) users should not be wrong to think this is always safe, and has no chance of screwing up your system. That this is not true in real life doesn't mean users behave unwise or stupid, but that current popular OS'es are BROKEN. Regardless of where in those OS'es (or the applications on it) the cause lies.
  
  Now, for another point of view on these URI handling troubles: a) there exist malformed URI's, and b) pretty much everyone agrees they should not fsck up your system, but simply be handled. Either 'fixed' to be a valid URI, or simply be rejected as invalid. Now if you need to fix it anyway, where would be the best place to do so? In every application that handles URI's, or in 1 place where all those URI's pass through at some point in time anyway? Apart from the question of whether it would be the OS'es responsibility, I'd say inside the OS would be the easiest place to fix the 'malformed URI' problem as a whole. Also, if the OS isn't bothered by a malformed URI, and just returns an error to indicate the problem, applications (and through them) users are informed of that fact. Which would tell a user that a site he's browsing is either trying to screw him, hijack his system, or that the site maintainers are incompetent.
  
  If the OS doesn't accept malformed URI's period, then the system as a whole becomes safer to use, regardless of whether applications do their own URI validation or not. So fixing this in the Windows URI handler would seem like the most general, AND the easiest way to prevent malformed URI from doing any damage.
  
  Apart from that I think the article was well written and reasoned, claiming that input validation is really a shared responsibility, that both OS vendors AND 3rd party application developers should care about.
3. Re:The Point: They're Still Missing It. by Beryllium+Sphere(tm) · 2007-10-11 16:09 · Score: 3, Insightful
  
  More insight into how Microsoft thinks about these things at Larry Osterman's blog.
  
  Personally I'd point the finger at the idea of using ShellExecute on inadequately filtered data from the Internet.
Simple by Vlaadimir · 2007-10-11 12:48 · Score: 4, Interesting

If Microsoft concedes that IE should validate/sanitize URL input before passing it to other applications, then other browsers should also validate/sanitize URL input before passing it to other vulnerable Microsoft/Adobe/IBM/... applications.
Pay attention by Anonymous Coward · 2007-10-11 12:50 · Score: 5, Informative

You're not paying attention. There were two flaws: One in Firefox, one in ShellExecute. Microsoft cannot and did not fix the flaw in Firefox (incorrect interpretation of command line). Microsoft did fix the bug in ShellExecute, which was by the failure to abort if URLMON returned an error code indicating that a given string was not a legal URI.
1. Re:Pay attention by Alwin+Henseler · 2007-10-11 14:18 · Score: 5, Interesting
  
  There were two flaws: One in Firefox, one in ShellExecute. Excellent point.
  Microsoft cannot and did not fix the flaw in Firefox (..) Ehmm... wrong. Since Firefox is an open source project, ANYONE has the option to contribute patches, and Microsoft surely has the knowledge and resources to do so. Any decently managed open source project should accept patches from anyone, IF it provides a correct fix for a problem, and licensing of the patch is acceptable (like, licensed the same as the rest of the project).
  Though I can't think of a reason why Microsoft would WANT to fix a problem in Firefox, unless IE's market share has dropped below 1% ;-)
Re:Firefox? by Kalriath · 2007-10-11 13:58 · Score: 4, Informative

Well, actually, there are two issues being mentioned here. One, where Windows itself mishandles the URI. This is the one where a % symbol is included in the URI and ShellExecute stupidly tries to fix it (demons know how it manages to mangle it into an actual working executable path). The other, which Microsoft correctly attributes to third party vendors, is where when a protocol handler is called, no escaping of quotes is done - often causing apps like Firefox, or Trillian, or whatever, to actually accept half the URI as command line parameters.

The mistake made by the GP (and potentially yourself, as you refer to the "blame cast" with the Firefox team which from memory only occurred with the issue in June with a malicious URIs terminating the quoted string and including Chrome parameters) is that they assume the second option is the one which is being fixed. It is not. This will potentially still be a problem if applications don't continue to validate their URIs appropriately, as Windows doesn't know exactly what your application does to escape quotes.

One of these is a vulnerability. The other is third party applications violating a basic tenet of development (no input is trusted).

--
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Re:Firefox? by ozmanjusri · 2007-10-11 13:59 · Score: 3, Informative

Without Firefox, NOTHING was vulnerable.
Rubbish.
There's a whole shopping list of apps, including IE7 itself that were exposed to this vulnerability. Firefox was just the first to be accused.
Microsoft's only changed it's tune because Adobe's on the case with the Acrobat vulnerability. It's one thing to force a FOSS competitor to unnecessarily patch, but they'll have no luck with trying to force Adobe to fix every PDF reader out there.

--
"I've got more toys than Teruhisa Kitahara."
Did the submitter read the links they included? by Keeper · 2007-10-11 15:27 · Score: 4, Informative

There are two "bugs" being talked about.

1) an exploit in firefox URI protocol handler
2) an exploit related to how explorer handles rejected URIs from IE7 on XP/Win2k3

Apparently the submitter isn't able to differentiate #2 from #1.

The advisory is for item #2. Item #2 is going to get fixed. The advisory does not cover item #1. Item #1 will need to be fixed in the protocol handler itself.
Re:Fanboy Bullshit at it's Finest. by Planesdragon · 2007-10-11 16:14 · Score: 4, Insightful

You must have slept through that whole anti-trust thing, where the Federal government proved that M$ did everything in it's power to break Netscape.

Psst. Netscape is not a competitor to Windows. Never was.

MS cripples themselves when they try and lean on Windows to get IE, or Office, or Visual Studio more market share. But Windows itself -- well, there's been to date, what, four serious attempts at competting with MS, and they haven't even managed to get half the market between them?

BeOS, UNIX et al, OS/2, and the Mac. All told, maybe 30% of the worldwide userbase. Microsoft is doing something right -- or else the "here, you can have this for free" crowd is doing something even worse than MS.